I have an issue with SharePoint search.
The situation
The server is installed with
SharePoint on a farm with 2 servers.
A new app pool is created and that app pool is using a domain account called moss_service.
moss_service is set to be in the administrator group in both server.
moss_service is also set to be the db_creator in the content database.
When I checked it initially, the search's default content access account is using another different account, I changed that to be using moss_service account.
I didn't do IIS reset because this is a production server, they dont want frequent iis reset.
Strangely, checking the services.msc under "office sharepoint server search" the account is still using an old one. (and apparently it's only running on 1 server, the other server is not running) I then change that to the following:
domain\moss_service with the password.
and then I rerun the crawl.
How do I diagnose the issue
Basically everytime I change something I restart the crawl and then check the event viewer. Multiple things come out but the following is the major ones:
The start address cannot be
crawled. The password for the content
access account cannot be decrypted
because it was stored with different
credentials. Re-type the password for
the account used to crawl this
content. (0x80042406)
Performance monitoring cannot be
initialized for the gatherer object,
because the counters are not loaded or
the shared memory object cannot be
opened. This only affects availability
of the perfmon counters. Restart the
computer.
Access is denied. Check that the
Default Content Access Account has
access to this content, or add a crawl
rule to crawl this content.
(0x80041205)
Crawl Logs Result
The crawl log is showing this:
The password for the content access account cannot be decrypted because it was stored with different credentials. Re-type the password for the account used to crawl this content.
I tried changing it again at service.mstsc and the rerun the full crawl again but then it doesn't work. I have tried entering it using the following way:
moss_service#domain.local
and
domain\moss_service
My Questions are:
How do I fix this?
Is this the right way to setup the
search?
Does the search account has to be
using a different domain account?
Seemed like one fix complicates the
other, how do I set this right?
Is it worth it to upgrade to sp2?
Google this you will get answer " Access is denied. Check that the Default Content Access Account has access to this content, or add a crawl rule to crawl this content. "
Alex, I think you need to completely reconfigure the search services. Keep in mind that the search crawler should be an account with least privileges (not your application service account!). Also, the indexer only runs on one server and whether the search crawler runs on one or more machines is another configuration issue. Also, some settings changes (like changing the crawled File Types) even require the search engine to be restarted.
The start address cannot be crawled. The password for the content
access account cannot be decrypted because it was stored with
different credentials. Re-type the password for the account used to
crawl this content.
For this error,
Open the Sharepoint administration
Click on "Application Management"
Click on "Manage service applications"
Click on "Search Service Application"
Click on the current value for "Default content access account" and re-enter the user's password, or update to another admin user.
Related
We have Single Sign-on working for a test application in Azure, using Azure Active Directory and the on-premise server running DirSync to synchronise the user details.
I have added a Custom Domain and verified it, by adding TXT records to the DNS entries at my registrar's website. In order to do this, I followed advice (from stackoverflow questions) that I needed to untick the option that said "I plan to configure this domain for single sign-on with my local Active Directory", in order to gain access to the additional information that allows me to prove ownership of the domain.
As a result, the domain has been verified and Azure recognises this, allowing me to see the domain as being 'verified', but the Single Sign-On value for this custom domain is set to 'Not Planned'.
The problem is now, I want to be able to re-tick that check box, and enable this domain to be used with the single sign-on, as I don't want to have to tell my users to use their log-in email addresses as 'username#something.onmicrosoft.com' as they'll never get it and will pester me to change it.
So, my question is: Is there a way to re-tick this box, and change the status of this field away from that of 'Not Planned', and (hopefully) to allow my users to sign in using their username#domain.com instead?
I have tried to remove the domain and re-add it, but Azure stops me from deleting it, as it's probably already well utilised in the rest of the processes. Also, I have no ability (or at least that's how it seems!) to go back into this custom domain within Azure and modify it.
UPDATE: I have tried to Deactivate the Directory Integration directory sync - this allows me to adjust the sync'd user's email addresses, but they're reverted back to .onmicrosoft.com once the sync is Activated again.
UPDATE 2: I have tried to install PowerShell to remotely administer the custom domain to becoming active, but I just cannot connect, despite several hours of trying.
If you added (and verified) a domain without ticking the checkbox, your domain is considered "standard", or "managed". You can convert this domain to a "federated" domain with the Convert-MsolDomainToFederated cmdlet from the Azure Active Directory PowerShell module:
Convert-MsolDomainToFederated -DomainName "contoso.com"
Tip for next time: After you add the domain with the single sign-on tick, you can run the following to get the DNS records to verify the domain:
Get-MsolDomainVerificationDns -DomainName "contoso.com"
I have a requirement to always prompting of log in information for users in SharePoint site rather than taking their logged in credentials.
Any idea??
Depending on the setup you have.
You could just remove the SharePoint site from the trusted sites or local intranet under IE's security tab using a group policy.
This will cause a prompt every time they go to the site.
you need to reverse the steps found here
Regards,
Vince
Is there a way to force sharepoint 2010 to popup the dialog to ask the user for a username and password and not use the computers logged in user, if that user doesn't have access.
We need an internal sharepoint website to not use the windows credentials, since these are computers used by many people. The windows user doesn't have access to the site, so currently it shows an access denied, click here to log in as another user. We would prefer if it just asked for credentials in a more graceful manner.
There is a way to configure Internet Explorer to do this. In Internet Explorer(IE),
Go to Tools
Click Internet Options
Click on the Security tab
Click on the button labeled Custom Level.
Scroll to the very bottom of the list
Select the option labeled Prompt for user name and password.
The default option Automatic logon only in Intranet zone' is what is causing IE to send the credentials to SharePoint. This of course would force everyone to log in on that computer.
Forms Based Authentication is the answer. You can modify the Login page and even where the users credentials (username/password) are stored (e.g. a SQL database rather then AD).
Use browser other than IE to access the SharePoint site from the community computers.
I am guessing you work in a corporate environment, which would mean your computers are probably managed by your IT department and part of your domain. Because they are part of your company's AD (Active Directory), your systadmins Should be able to modify the existing policy (i say existing, because in IE, the defaults for the settings relating to logging on are by default set so that you WOULD have gotten a logon prompt, i am guessing a group policy is already in effect). If it does not exist, have your admins create one.
The setting Jeremy mentions is one option. It could also be that the site is in included in your IE's "Local Intranet Zone". If it is, or, more probable, there is a wildcard *.yourdomainname.yourdomainextension).
Use the setting mentioned by jeremy to override the default logon behavior (automatic logon) associated with sites listed in the intranet zone.
A group policy can be applied to a group of computers or all the computers in the domain. If the policy should be applied to a small group of computers only, put those computers in a separate OU (Organisation Unit) in AD and apply the policy to that OU.
What about creating a new zone, secured with FBA, for those community computers? As long as the users of the community computers are given only URL for the new zone, you should be OK.
You can create 2 registry files to turn this behavior on and off for the Internet Explorer. Use Notepad to paste the values below, ensure that Windows Registry Editor Version 5.00is the first line, and that you're appending 2 blank lines at the end of the file (press 2x Enter).
To turn it on (i.e. always ask for credentials): AlwaysAsk.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1] "1A00"=dword:00010000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1] "1A00"=dword:00010000
To turn it off (automatically use credentials, only ask if necessary): AutomaticLogon.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1] "1A00"=dword:00020000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1] "1A00"=dword:00020000
This is useful for testing, espcecially if you're a developer in a corporate environment where you can't easily change the policy settings on your PC (but you need elevated rights, i.e. you have to run it as Administrator).
Note that the 1st key is for the local machine, the 2nd key is for the current user (currently logged in), which is needed to activate it immediately.
If you need more details about the values, check out this link:
Internet Explorer security zones registry entries for advanced users
I've got a SharePoint website running on my machine (which it shows me inside the Application Pool in the Inet Manager).
Now this website has a different user credentials specified under the Identity section (properties). Also when I view the w3wp.exe in the task manager it shows that the site is running as a different user.
The problem is that if I change the username and password of the existing user with mine, the site stops working.
How do I run it under my account credentials.
Please help. Thanks
If you want to change the account that runs the SharePoint application pool, you must make sure that the new account has the same permissions as the current one. That includes the correct database permissions. Otherwise the SharePoint Web Application stops working.
The behavior you are describing is normal. Whatever account you use to login to your SharePoint site, the application pool will still be using the account assigned to it.
Regards,
M
Every morning when i fire up my VM and IE (in my host OS) and go to my SP site it always logs me on automatically as DOMAIN\george which is a user I created for testing permissions.
So every morning after that I click "sign in as a different user" to sign in as my sys admin user instead and most days that is the only user I use. Any idea why george's credentials are being cached?
Part of "firing up my VM" is running a script that starts IIS as well as some services. I'm not entirely sure SharePoint is responsible for this, could very well be ASP.Net.
EDIT: I've already tried clearing my cookies.
Had a very similar problem! To solve it, go to 'User Accounts' under the Windows Control panel.
Navigate to 'Manage your network passwords'. Select the domain you wish to clear and select 'Remove'.
You should now have a clean login dialogue box and when you check the 'remember me' box, this will be stored as the login default for that domain.
I was able to remove the test login credentials using the User Account control panel applet in Windows 7
Open the Manage Credentials link.
Find the Sharepoint Login in the Windows Vault.
Expand the address for the site
Remove the test login for this site.
After doing this I am no longer prompted for the login and login as different user prompt.
Have you checked that there are no logins and passwords being stored by the browser? Assuming you are using IE, see this article on how to clear them.
If DOMAIN\george is same user ID you are logging in to the VM ? If that is the case try changing the Setting in IE that dictates what user name is send to the Server. Just go to Tools - > Settings - > Security and Click on Custom Level, scroll down to bottom and you will find User Authentication option Select the Prompt for User name and Password.
It could also be that you are using IE8, that caches my credentials as well it seems.
IE8 stores credentials for favourites it seems, don't ask me why. What you should do is log in as the needed user, then save a new favourite (or add it to the favourites bar by dragging it). Then use that link to go to your site.