WSS Search: Access is denied

I have WSS 3.0 installed and running on a Windows SBS 2003 server (domain controller). The SharePoint Search Service is enabled (running under Administrator account) and configured to index the content database.

When I do a search on the SharePoint Web application I get the following message: Your search cannot be completed because of a service rror."  And, the corresponding error in the Application event log is: "Query machine ‘SERVER1’ has been taken out of rotation due to this error: Access is denied. 0x80070005."

The application pool that the SharePoint Web application uses is configured to run as the Network Service identity (the least priviledge recommendation). It seems that the Network Service account is not granted a priviledge or access right while it tries to access the WSS Search Service running on the same machine.

If I change the identity of the application pool to the Administrator account, everything works great, the search runs correctly. However I don’t think this is the best solution for the issue, as from a security point of view, running a Web application with an administrative account is simply not a choice.

Note also that if I reinstall WSS using a stand-alone installation (with SQL 2005 Embedded Edition), search seems to work correctly. But I need to install it as a farm installation (with an existing SQL Server 2005 on the same server machine).

Any help in resolving this issue is much appreciated. Thank you in advance!

 
Update: I finally managed to resolve the issue this way: I created a new user, called SharePoint. Then I set the identity that SharePointAppPool runs as to the new user. I also added the new user to WSS_WPG and IIS_WPG groups to have the required rights to run as WSS processes hosted by IIS. Then I added the user as db_owner and wss_* in the WSS databases, and of course I had to create a Login for the user in the SQL Server to do that. Then I restarted the application pool and since then WSS Search works correctly. I don’t like this very much because I needed to create a new user for it in my domain, but at least I have the functionality without decreasing security (too much). Another requirement is to make sure WSS Search service (and WSS Timer service) are set to be run as the Administrator account (this is aceptable for security as the setting is only for internal services of WSS that are not directly accessed by end users). The SQL Server and wss_ databases must also accept Administrator as a user with enough permissions (dbo).

About Sorin Dolha

My passion is software development, but I also like physics.
This entry was posted in Computers and Internet. Bookmark the permalink.

3 Responses to WSS Search: Access is denied

  1. Unknown says:

    you have to create a domain account. The network service account has limited network access. Since your DB is on a separate server, the ADO.Net requests are made using the computer AD account (computer$ I believe) instead of NetworkService (as this account doesn’t exist outside of your local computer). SharePoint did not add the computer as an authorized member from its DBs that’s why you got an access denied.Using an AD account is a good thing. Simply remember to secure it so that it can only be used as a service account on the specific machines. Use AD policies for that.

  2. Sorin says:

    "Since your DB is on a separate server" – sorry but no, the DB server (SQL Server) is on the same machine with the Web server. Anyway the resolution was already added as an update in my orignal message, so the issue is resolved now – thanks anyway.

  3. Sorin says:

    I have seen that a Microsoft Update for WSS has reset the user of the SharePoint application pool (from IIS) back to Network Service, thus regenerating the issue after a long time of "no problem". I needed to manually set the user back to the original SharePoint user for the pool and restart it to get it work correctly again.

Add a reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s