9/5/2008 11:41:22 PM #

Everything works until the last step, when I select "user profiles and properties" in order to do the Profile Import, which then tells me

Error: Access Denied
you are currently signed in as MOSSsspPool
Sign in as a different user?

Apparently a permissions issue, but I'm not sure how to change it.  Any ideas?

Scott Duncan

12/4/2008 4:56:49 PM #

Trackback from Office et SharePoint pour et par les administrateurs

Installation MOSS 2007 sur Windows 2008 et SQL Server 2008...

Office et SharePoint pour et par les administrateurs

2/4/2009 1:42:22 AM #

I got the same access denied with the setupadmin account.  I used the domain admin account (to administer) and was able to complete the process.

You didn't cover the Excel account to configure excel services, but I think its pretty straight forward.

Keith Gregory

7/9/2009 4:24:52 AM #

Thank you for your article. I got much advice in this site.
I installed MS Project Server 2007 with Windows 2008 Server and I tried to bulletin MS Office Project client file to MS Project Server, it can be saved but it can not be bulletined MS Project Server.
When I tried at Windows 2003 Server, it can be saved well, But at Windows 2008 Server, it can not be bulletined at all. How can I solve this problem? Please give me some advice or tip.

Ibum Kang

8/6/2009 12:23:07 AM #

Andreas,

Would there be any harm from using just one domain service account for all of the different pieces?

Thanks,

Brian

Brian Shepherd

8/6/2009 8:20:58 AM #

Hi Brian,

yes there can be a harm although I'm not a security expert. For me it's important to follow best practice instructions by Microsoft because:

-our customers require it in general,
-if we deploy at the customers environment and they use different accounts and I'm not it is possible that my solution might not work as expected
-usually a content access account for search needs read permissions... if it gets write permissions maybe it will delete my content because of bad implementation
-You get different behavior of your code when implementing things with RunWithElevatedPrivileges...  
-If your e.g. Intranet Application Pool account is an admin account web parts executed in that context can modify things in central administration.

I definitely would use all accounts in my development environment and in production. If you just want to check things out you don't need but if it becomes real-world I suggest using all accounts.

Hope it helps
Andreas

Andreas

10/5/2009 7:37:52 PM #

Hi Andreas,

Thanks for the great article.  I was able to get everything setup and the services started
using Central Admin site.  But I am getting an Access Denied error when I am trying
to create a new web application.  I've tried using setupAdmin, MOSSsspPool and
MOSSFarm account and none of them work.  

Any help you could provide would be greatly appreciated.  Thanks!

Dinesh

dinesh

10/9/2009 7:03:54 PM #

Hi Dinesh,

sorry for replying that late... Did you try to login directly on the server? Maybe you have Enhanced Security for Internet Explorer enabled. Disabling it or logging in from another PC may help...

Andreas

Andreas

10/12/2009 6:52:46 PM #

Hi Andreas,

This article is a great short guide to install MOSS 2007 on Windows 2008 with SQL 2008. Many thanks for your efforts!!

Regards
Gabriel

Gabriel Kang

10/13/2009 10:39:39 AM #

Hi Gabriel,

thank you very much Smile

Regards
Andreas

Andreas

10/19/2009 4:30:53 AM #

Hi Andreas,

Thanks for the reply.  I had to adjust my windows firewall and also I made a silly mistake
by not putting the FQDN (Domain\username) when creating the web apps.  Once I did that  
it worked like a charm.

However, I am wondering if you could help me with a different problem I am having I am trying to
configure Forms Authentication using AD as the membership provider on my app and although I
have everything configured and running, but, I keep getting access denied errors, when
trying to login. I finally figured out that the user accounts (mine or any AD users) needed
to be on the "Policy for Web Application" under Application Management within Central Admin.

My attempt to add NT AUTHORITY\Authenticated Users did not go through (it kept saying no
matching name for the forms authorization zone). I need to enable forms authentication
for all users within AD without having to enter every single one within
"Policy for Web Application" page on the Central Admin Site.

Anyway, thought I would ask, I am sure its a config issue somewhere but I am running outa
ideas.  Any suggestions would be greatly appreciated.

Again thanks for a great article. It helped me a lot when I was setting up the MOSS
environment.

Dinesh

dinesh

10/21/2009 4:40:46 PM #

Hi Dinesh,

thanks for sharing the information about the account.

Unfortunately I'm not familiar with Froms Based Authentication but I hope you can solve your problem.


Thanks
Andreas

Andreas

11/4/2009 7:12:33 AM #

I'm stuck on the SSP creation - when I click "Create a new Web application", I'm given an "Access Denied" error.  I've tried both setupAdmin and Administrator and neither work. setupAdmin has both dbcreator and securityadmin server roles.  Any ideas?  Thanks!

jason z

11/6/2009 8:45:29 AM #

Hi Jason,

can you find the error in the log file located in 12 hive? Usually there is a more detailed description which account caused the access denied error.

You can also look at the windows event viewer...

And how do you get the error? Is it an error caused by IIS? If yes you may try to open Central Administration from another laptop or computer...

Regards
Andreas

Andreas

1/17/2010 7:56:09 AM #

Andreas,
I followed your guide and am having issues activating the "Windows SharePoint Services Search" service, and 5+ hours on Google is not finding an answer.  When I use the "WSScontentAccess" account, it does not start.  However, when I use the administrator account, it works fine.  I know I am not supposed to do that, so want to try and fix it.

I have checked in AD, and made the content account a member of all groups the admin account is, I gave it all privileges within the SQL Server Management Console (same window as you have for the setupAdmin account in part 3).

I am running Server 2008 R2 x64, SQL Server 2008 SP1, and SharePoint 2007 SP2 x64.

Thanks for any help you are able to provide,
Jeff

Jeff

1/17/2010 9:22:44 PM #

Hi Jeff,

do you get an error message in the Windows event viewer or the SharePoint application log?

Does the "WSScontentAccess" has access to resources like file-shares or is a newly created account without access to files and folders?

Haven't seen this behavior before...
Andreas

Andreas

1/18/2010 1:25:12 AM #

It is doing it on 2 different VMs – a Win2008 w/ SharePoint SP1, and a Win2008 R2 w/ SharePoint SP2.  Both have SQL Server 2008 SP1

It is a newly formed account.  I started from scratch and followed your manual – I did not do anything you did not say to do.  Is there any configuration I am supposed to do to that account?  All I have done with it was create it with a password, set it to not expire and user can't change password.

I was unable to really find anything in the logs, just audit events.  These are the last 2 entries that have that account in them by name:

01/17/2010 16:56:20.57
w3wp.exe (0x0380)
0x0240
Windows SharePoint Services
Topology
88b6
Medium
LogonUser succeeded for RWP\WSScontentAccess.  

01/17/2010 16:56:20.5
w3wp.exe (0x0380)
0x0240
Windows SharePoint Services
Topology
88b8
High
RWP\WSScontentAccess is a valid Farm Account.


Jeff

Jeff

1/18/2010 8:42:25 PM #

This is really strange... I have written an email. If it's okay we can discuss it by mail and post a solution later if we find one.

Andreas

Andreas

1/22/2010 12:31:27 PM #

Hello

Great manual but I have one problem. When I try to create web application in SSP Name and in My Site Location, I have an information to logon on other account. I try to login to Domain admin, setupAdmin and to every account I have in domain. Every time I see (może lepiej get zamiast see) the same information, every server have disable firewall. What I do wrong ? Sorry form my english

Squel

1/24/2010 11:14:41 AM #

@Squel:

Do you use an English SharePoint Server? Can you please post the exact error message?

thx andreas

Andreas

1/25/2010 2:01:59 PM #

I use English version of MOSS. When I try too create new web application I have a message "Error:Access Denied, Sign in as a different user". I check a users in SQL and I have a MOSSsspPool and MOSSsspMySite this account have a server role public. When I try to login in setupAdmin or MOSSfarm have the same error.

Squel

1/31/2010 12:40:00 PM #

@Squel:

I'm sorry I don't know a solution... looks like some special problem.

Andreas

2/11/2010 11:58:31 AM #

@Andreas
I found where is a problem

When adding new websites to SSP provider is impossible, it should be checked, if Application Server service, installed on server 2k8, does not show errors.
If error 10016 appears, it should be checked and mark sequence looked similar to {61738644-F196-11D0-9953-00C04FD919C1} should be copied from it.  
Then we start “regedit”, and paste these mark sequence into search
In the search out result we press right mouse button and choose  “inspect permissions”.
Then we add full control authorizations for the administrator.
We start Component Services > Computers >  My Computer > DCOM Config >  IIS WAMREG Admin Service, and choose bookmark: security and then choose edit in section Launch and Activation  Permissions. We add users:
-main farm user
-user used during installation
- users needed in creation websites.

We set them authorizations to:
Allow: Local Launch
Allow: Local Activation
Local administrator should also have this authorizations set.
Then we press OK and go to cmd, where we enter command: iisreset.

Squel

2/11/2010 8:31:15 PM #

Hi Squel,

great you found a solution!!

Thank you very much for sharing the information

Andreas

Andreas

2/18/2010 8:08:28 PM #

Great article and time saver!

Just one question: At what point do I use the MOSSfarm account? The article seems to mention nothing about this account after its creation.

mmai

2/18/2010 8:18:17 PM #

The MOSSfarm account is used during the first run of the Configuration Wizard.

If you specify the configuration database settings you need to provide this account. Here is the detailed image for this step:

www.andreasglaser.net/.../moss7_2.jpg

Andreas

2/18/2010 8:29:09 PM #

ah, my oversight.

Thanks!!!

mmai

2/25/2010 8:29:50 AM #

[Someone sent this comment by mail since it couldn't be posted... Andreas]

Just in case my lost time can go to good use...

Everything was going along great, until right at the point of creating a new SSP. The New SSP link wasn't functioning and neither were some of the links further down the checklist. In fact even before that, selecting the different profiles for what type of Farm I needed wasn't really functioning. That is, I clicked the radios, but the service list did not update. That was ok since all the services were already listed anyway.

It turns out the problem was that my browser (ie8) wasn't doing the PostBacks. When I used a different browser (FireFox), it worked fine and I could continue undaunted. If you have the same issue, make sure JavaScript is enabled or try a different browser - it might not be an account-security issue.

Good luck everyone. And thanks Andreas for such a thorough walk-through!

Andreas