In SSP Admin page Search Setting link fails with access denied
in [Portal Server]
|
From: Jason Cross on 17 Dec 2007 13:35 Hello everyone, Just a quick mention that apparently someone else has also run into the same problem that I'm having: http://objectmix.com/sharepoint/298712-search-settings-index-query-roles-different-servers.html Originally I had one server farm installation of MOSS 2007. I then moved from that one server to two other servers and put the Web Front End on one and the Index/Query server on the other. Everything seemed to be ok except when trying to configure the Search Settings. If I go to the SSP Administration Page on the Web Front End server and click on Search Settings it hangs for a while and then gives me an access denied error. If I start a Web Front End on the Index/Query server and go directly to the Search Settings page then it comes up ok. It appears that the difference between accessing the Search Settings on a WFE on the same box as the Index/Server vs. a separate WFE is the separate WFE needs to use a SOAP interface. This is what shows up in the IIS log for the SOAP service on the Index/Query server for the SSP site when I click on Search Settings: 2007-12-17 16:15:40 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 - 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 401 2 2148074254 2007-12-17 16:15:40 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 - 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 401 1 0 2007-12-17 16:15:58 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 AD\SP_ssp1apppool 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 200 0 0 2007-12-17 16:15:58 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 - 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 401 2 2148074254 2007-12-17 16:15:58 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 - 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 401 1 0 2007-12-17 16:15:58 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 AD\SP_ssp1apppool 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 200 0 0 2007-12-17 16:15:58 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 - 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 401 2 2148074254 2007-12-17 16:15:58 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 - 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 401 1 0 2007-12-17 16:15:58 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 AD\SP_ssp1apppool 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 200 0 0 2007-12-17 16:15:58 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 - 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 401 2 2148074254 2007-12-17 16:15:58 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 - 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 401 1 0 2007-12-17 16:15:58 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 AD\SP_ssp1apppool 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 500 0 0 2007-12-17 16:22:13 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 - 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 401 2 2148074254 2007-12-17 16:22:13 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 - 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 401 1 0 2007-12-17 16:22:13 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 AD\SP_ssp1apppool 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 200 0 0 2007-12-17 16:22:13 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 - 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 401 2 2148074254 2007-12-17 16:22:13 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 - 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 401 1 0 2007-12-17 16:22:13 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 AD\SP_ssp1apppool 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 200 0 0 2007-12-17 16:22:13 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 - 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 401 2 2148074254 2007-12-17 16:22:13 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 - 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 401 1 0 2007-12-17 16:22:13 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 AD\SP_ssp1apppool 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 200 0 0 2007-12-17 16:22:13 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 - 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 401 2 2148074254 2007-12-17 16:22:13 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 - 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 401 1 0 2007-12-17 16:22:13 W3SVC951338967 10.185.10.143 POST /SP_SSP1/Search/SearchAdmin.asmx - 56738 AD\SP_ssp1apppool 10.185.10.142 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.832) 500 0 0 Note that the last line is a 500 (internal service error) while the rest are 200 (successful). In the trace log on the Index/Query server, these 4 lines seem to be related to the failure: 12/17/2007 12:20:29.42 w3wp.exe (0x1630) 0x176C Search Server Common MS Search Administration 7phq High GetProtocolConfigHelper failed in GetNotesInterface(). 12/17/2007 12:20:29.84 w3wp.exe (0x1630) 0x176C Search Server Common MS Search Administration 86z4 High Exception caught in Search Admin web-service (server). System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) at Microsoft.Office.Server.Search.Administration.SearchApi.RunOnServer[T](CodeToRun`1 remoteCode, CodeToRun`1 localCode, Boolean useCurrentSecurityContext, Int32 versionIn) at Microsoft.Office.Server.Search.Administration.SearchApi.GetContentSources(Int32 versionIn, Int32 catalog) at Microsoft.Office.Server.Search.Administration.SearchApplicationWebService.<>c__DisplayClassac.<GetContentSources>b__ab() at Microsoft.Office.Server.Search.Administration.SearchWebService.RunWithSoapExceptionHandling[T](CodeRequiresSoapExceptionHandling`1 webMethodCode, Boolean impersonateLocalAdmin) 12/17/2007 12:20:29.84 mssearch.exe (0x082C) 0x1530 Search Server Common GatherPI 0 Monitorable CContentSourceCollection::ValidateTrigger in m_pScheduler -> Activate or NewWorkItem, Error is 0x80070005 - File:d:\office\source\search\search\gather\server\contentsource.cxx Line:1356 12/17/2007 12:20:29.84 mssearch.exe (0x082C) 0x1530 Search Server Common Exceptions 0 Monitorable <Exception><HR>0x80070005</HR><eip>00000000601B26A4</eip><module>d:\office\source\search\search\gather\server\contentsource.cxx</module><line>1357</line></Exception> So it appears that either I have a permission problem with one of my service accounts somewhere or one of the methods run by the SOAP service is crashing. I've double checked the permissions for the SSP app pool account and they seem to be correct. I'm not sure what to try to fix the problem. Any suggestions would be greatly appreciated, Jason Cross
From: Ada Pan [MSFT] on 18 Dec 2007 00:29 Hello Jason, Based on my research, I recommend you try the following methods to narrow down the problem: Method 1: Update the username and password ============================= Before you perform the steps below, please ensure that domain account you are using for SSP has the following permissions the local administrator rights in the farm servers: Administrators, IIS_WPG, WSS_ADMIN_WPG, WSS_RESTRICTED_WPG, WSS_WPG. Also, the account also needs to have DB Creator and Security Admin rights on SQL Server. #1. How to change the passwords for service accounts in SharePoint Server 2007 and in Windows SharePoint Services 3.0 http://support.microsoft.com/?id=934838 #2. Reset the Farm Search Service Account in the Configure Office SharePoint Server Search Service Settings page: 1. Browse the Central Administration site. 2. Select the Operations tab. 3. Select the "Services on server" link in the Topology and Services section of the Operations page. 4. On the Services on Server page, select the "Office SharePoint Server Search" link. 5. On the Configure Office SharePoint Server Search Service Settings page, scroll down to the Farm Search Service Account section and reset the password for the Farm Search Service Account. 6. Click OK. #3. Type passwords in WSS timer service in Services control panel. Method 2: Install Office SharePoint Server 2007 SP1 ============================= Note: Windows SharePoint Services 3.0 Service Pack 1 must be installed before the 2007 Microsoft Office Servers Service Pack 1 is installed. Windows SharePoint Services 3.0 Service Pack 1 (SP1) http://www.microsoft.com/downloads/details.aspx?FamilyId=4191A531-A2E9-45E4- B71E-5B0B17108BD2&displaylang=en The 2007 Microsoft Office Servers Service Pack 1 (SP1) http://www.microsoft.com/downloads/details.aspx?FamilyId=AD59175C-AD6A-4027- 8C2F-DB25322F791B&displaylang=en Method 3: Re-provision the Central admin site ============================= 1. Run the Post Setup Configuration Wizard and un-provision the Central admin site. 2. Run the wizard again and provision the central admin site. Here the detailed steps: ------------------------------------ 1. Select SharePoint Products and Technologies Configuration Wizard. 2. Select Next. And yes to the IIS, SharePoint Admin Service, and the SharePoint Timer Service popup. 3. Select Next leaving the default "Do not disconnect from this server farm" selected 4. Select "Yes, I want to remove the web site from this machine" then click next. 5. Click next again to confirm. 6. There are a series of 8 steps that transpire, when they complete, your Central Admin site will be removed. Click finish. 7. Go back to SharePoint Products and Technologies Configuration Wizard 8. Select Next. And yes to the IIS, SharePoint Admin Service, and the SharePoint Timer Service popup. 9. Select the "Do not disconnect from this server farm" radio button, and click next. 10. You can specify a port, or leave the default port selected and click next. 11. Then Select Next on the Completing the SharePoint Products and Technologies Configuration Wizard. 12. Click Finish. And your Central Admin Site will be launched. If the problem still persists, please help us collect the following information for further research: 1. Has the problem ever worked? If so, what has changed? 2. What is the authentication method used in your Office SharePoint Server 2007, NTLM or Kerberos? 3. Please take a screen shot of the error message and attach it your reply or send it to v-adapan(a)Microsoft.com. Please reproduce the problem, note down the exact time (hh:mm:ss), and let us know the exact time in your reply. #1. Collect Trace log ========== a. Navigate to C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\LOGS folder. b. Send me the last ULS logfile (<servername><date><time>.log) #2. Collect Event Log ============== a. Click Start, and then click Run. b. In the Run dialog type "eventvwr.exe" (without the quotation marks), and then click OK. c. In the opening Event Viewer windows, double click event viewer, click Application, click the Action menu, and click save log file as. d. In the File name box, enter the event name to be saved, and click ok. e. Repeat step3 to step4 for "System". Please attach the log files to your reply or send them as mail attachments to me. Please try the suggestion and update me with the result at your earliest convenience. We look forward to your reply. Regards, Ada Pan Microsoft Online Partner Support Get Secure! - www.microsoft.com/security ==================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ==================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
From: Jason Cross on 18 Dec 2007 20:03 Ada, First I modified the permissions of the SSP service account as you said. It wasn't a member of: Administrators WSS_ADMIN_WPG WSS_RESTRICTED_WPG I then did a iisreset /noforce And then I was able to access the search settings page from the WFE. While I was very very happy that it was working again, I was concerned about the all the extra access I just gave that account. Accroding to Plan for administratie and service accounts (Office SharePoint Server): http://technet2.microsoft.com/Office/en-us/library/f07768d4-ca37-447a-a056-1a67d93ef5401033.mspx?mfr=true For a Server Farm, the SSP service account requirements are: . Use a domain user account. . No manual configuration is necessary. The same permissions as the SSP application pool account are automatically granted. . This account should not be a member of the Administrators group on any computer in the server farm. So I assumed that for some reason the SSP server account wasn't added to the right local group or groups automtiacally. So through trial and error I determined that the SSP service account only need to be added to: WSS_ADMIN_WPG To make things work. Does this sound like the correct setup to you? Again, thanks for your help, Jason "Ada Pan [MSFT]" <v-adapan(a)online.microsoft.com> wrote in message news:vN3utbTQIHA.360(a)TK2MSFTNGHUB02.phx.gbl... > Hello Jason, > > Based on my research, I recommend you try the following methods to narrow > down the problem: > > Method 1: Update the username and password > ============================= > Before you perform the steps below, please ensure that domain account you > are using for SSP has the following permissions the local administrator > rights in the farm servers: Administrators, IIS_WPG, WSS_ADMIN_WPG, > WSS_RESTRICTED_WPG, WSS_WPG. Also, the account also needs to have DB > Creator and Security Admin rights on SQL Server. > > #1. How to change the passwords for service accounts in SharePoint Server > 2007 and in Windows SharePoint Services 3.0 > http://support.microsoft.com/?id=934838 > > #2. Reset the Farm Search Service Account in the Configure Office > SharePoint Server Search Service Settings page: > > 1. Browse the Central Administration site. > 2. Select the Operations tab. > 3. Select the "Services on server" link in the Topology and Services > section of the Operations page. > 4. On the Services on Server page, select the "Office SharePoint Server > Search" link. > 5. On the Configure Office SharePoint Server Search Service Settings page, > scroll down to the Farm Search Service Account section and reset the > password for the Farm Search Service Account. > 6. Click OK. > > #3. Type passwords in WSS timer service in Services control panel. > > Method 2: Install Office SharePoint Server 2007 SP1 > ============================= > > Note: Windows SharePoint Services 3.0 Service Pack 1 must be installed > before the 2007 Microsoft Office Servers Service Pack 1 is installed. > > Windows SharePoint Services 3.0 Service Pack 1 (SP1) > http://www.microsoft.com/downloads/details.aspx?FamilyId=4191A531-A2E9-45E4- > B71E-5B0B17108BD2&displaylang=en > > The 2007 Microsoft Office Servers Service Pack 1 (SP1) > http://www.microsoft.com/downloads/details.aspx?FamilyId=AD59175C-AD6A-4027- > 8C2F-DB25322F791B&displaylang=en > > Method 3: Re-provision the Central admin site > ============================= > > 1. Run the Post Setup Configuration Wizard and un-provision the Central > admin site. > > 2. Run the wizard again and provision the central admin site. > > Here the detailed steps: > ------------------------------------ > 1. Select SharePoint Products and Technologies Configuration Wizard. > > 2. Select Next. And yes to the IIS, SharePoint Admin Service, and the > SharePoint Timer Service popup. > > 3. Select Next leaving the default "Do not disconnect from this server > farm" selected > > 4. Select "Yes, I want to remove the web site from this machine" then > click > next. > > 5. Click next again to confirm. > > 6. There are a series of 8 steps that transpire, when they complete, your > Central Admin site will be removed. Click finish. > > 7. Go back to SharePoint Products and Technologies Configuration Wizard > > 8. Select Next. And yes to the IIS, SharePoint Admin Service, and the > SharePoint Timer Service popup. > > 9. Select the "Do not disconnect from this server farm" radio button, and > click next. > > 10. You can specify a port, or leave the default port selected and click > next. > > 11. Then Select Next on the Completing the SharePoint Products and > Technologies Configuration Wizard. > > 12. Click Finish. And your Central Admin Site will be launched. > > If the problem still persists, please help us collect the following > information for further research: > > 1. Has the problem ever worked? If so, what has changed? > 2. What is the authentication method used in your Office SharePoint Server > 2007, NTLM or Kerberos? > 3. Please take a screen shot of the error message and attach it your reply > or send it to v-adapan(a)Microsoft.com. > > Please reproduce the problem, note down the exact time (hh:mm:ss), and let > us know the exact time in your reply. > > #1. Collect Trace log > ========== > a. Navigate to C:\Program Files\Common Files\Microsoft Shared\web server > extensions\12\LOGS folder. > b. Send me the last ULS logfile (<servername><date><time>.log) > > #2. Collect Event Log > ============== > a. Click Start, and then click Run. > b. In the Run dialog type "eventvwr.exe" (without the quotation marks), > and > then click OK. > c. In the opening Event Viewer windows, double click event viewer, click > Application, click the Action menu, and click save log file as. > d. In the File name box, enter the event name to be saved, and click ok. > e. Repeat step3 to step4 for "System". > > Please attach the log files to your reply or send them as mail attachments > to me. > > Please try the suggestion and update me with the result at your earliest > convenience. We look forward to your reply. > > Regards, > > Ada Pan > > Microsoft Online Partner Support > Get Secure! - www.microsoft.com/security > ==================================================== > When responding to posts, please "Reply to Group" via your newsreader so > that others may learn and benefit from your issue. > ==================================================== > This posting is provided "AS IS" with no warranties, and confers no > rights. > >
From: Ada Pan [MSFT] on 19 Dec 2007 04:26 Hello Jason, Yes, as you noticed, the SSP service account doesn't need local Administrator permission on the computer. The reason I suggested to add the account to local Administrators group on the server is just to determine if this issue was caused by insufficient permissions. If problem still persists after you add the account to the local Admin group, we can just exclude the permission reason in this issue. Also, thank you for your reply and the detailed additional feedback on how you were successful in resolving this issue. Your solution will benefit many other users, and we really value having you as a Microsoft user. If you have any other questions or concerns, please do not hesitate to contact us. It is always our pleasure to be of assistance. Have a nice day! Regards, Ada Pan Microsoft Online Partner Support Get Secure! - www.microsoft.com/security ==================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ==================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
|
Pages: 1 Prev: Error 7888 on proc_ar_BumpCacheInvalidationCounter during Acti Next: Sharepoint Upload error |