none
SharePoint Server 2010 + Secure Store Service = Access Is Denied!

    Question

  • Hi all SharePoint gurus,

    Posting here as I am at the end of my rope with this! I would like to do PowerPivot for SharePoint development on my Win 7 x64 laptop, which requires a full SharePoint Enterprise installation. I also need Secure Store Service to work since the workbooks I will be using will be using external data sources. Even though this is not "officially" supported, I'd like to follow this person who's done this here: http://blog.datainspirations.com/2010/05/23/installing-powerpivot-for-sharepoint-on-windows-7/

    Long story short - it's installed and running and I am up against the dreaded "Cannot complete this action because the Secure Store Shared Service is not responding. Please contact your administrator" whenever I try to Generate a New Key for a new Secure Store Service Application. The ULS logs tell me that "Access is denied".

    I've tried the following: restarting services, restarting the box, reinstalling Sharepoint 2010 Enterprise, et. My account is both a domain account and an admin on the box and my account runs all the SharePoint application pools, is a sysadmin on the SQL Server 2008 R2 local instance AND is the dbo for all SharePoint databases. When creating a new SSS Service Application, I also add myself to the Administrators and Permissions area (Full Control and all that). Finally, I am in the Farm Admin group. This has been vexing me forever. :(

    Claims to Windows Token Service (under my account) and Secure Store Service is also running. Deleting and recreating the SSS Application has had no effect. I can tell that the Secure Store SQL database does get created each time but that's it. When I click the Generate a New Key from the ribbon, I get the errors below when I hit Submit.

    The errors in ULS are always the same. It goes in this order:

    1. Access Denied: ClaimsManager.GetClaimsFromContext failed
    2. GetApplications failed with the following exception: Microsoft.Office.SecureStoreService.Server.SecureStoreServiceException: Access is denied.
    3. The Secure Store Service application Secure Store Service is not accessible. The full exception text is: Access is denied.
    4. Unexpected exception from endpoint address : https://jccstudioxps:32844/9ae6944ac6f84b6ba350b83375d9e852/SecureStoreService.svc/https
    5. Logging unknown/unexpected client side exception: FaultException`1. This will cause this application server to be removed from the load balancer queue.
    6. Error occured while managing Secure Store Application 35bfa01f-81fd-4287-8a17-6e326d0cc915. Error message: Access is denied.

    Anyways, if anyone has come across this before, please let me know. Even if you haven't, can you answer the following:

    1. I can't tell if my calls are actually making it to the Secure Store database then then being denied with a "login failed for user <blank>". Are there any SQL Error logs or something that would show this? Nothing shows up at the database level in Event Viewer or ULS so that tells me either 1) its not getting that far before Access Denied or 2) it is but I can find the right log.

    2. So it seems like this is web services related and that my account (or the account Sharepoint is trying to use) can't run GetApplications from the SSS web service at the url above. Has anyone just diagnosed Access Denied at the Service Application url level before?

    Thanks everyone! It would be great to get past this once and for all.

    Sincerely,

    J'son

    Wednesday, May 16, 2012 9:19 PM

Answers

  • Hi,

    According to your narration, please grant the user permissions using the Secure Store Administrators feature in Central Administration.

    Steps are as follows:

    In Central Administration browse to Application Management

    Click Manage Service Applications

    Click to the right of the Secure Store Application link so the row appears highlighted. The objective is to activate the Administrators button in the menu ribbon. 

    Click on the Administrators button and add the user (or an appropriate security group including user) to the field. 

    Click Add, then check the "Manage target applications" checkbox. ("Manage target applications" represents the minimum access rights.)

    Thanks,

    Rock Wang


    Rock Wang TechNet Community Support

    Wednesday, May 23, 2012 6:34 AM
  • Hey J'son,

    This may be a shot in the dark but since everything is running on one box have you made sure to disable loopback check?

    To set the DisableLoopbackCheck registry key, follow these steps:
    1. Set the
      DisableStrictNameChecking
      registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
      281308  Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
    2. Click Start, click Run, type regedit, and then click OK.
    3. In Registry Editor, locate and then click the following registry key:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    4. Right-click Lsa, point to New, and then click DWORD Value.
    5. Type DisableLoopbackCheck, and then press ENTER.
    6. Right-click DisableLoopbackCheck, and then click Modify.
    7. In the Value data box, type 1, and then click OK.
    8. Quit Registry Editor, and then restart your computer.

    http://support.microsoft.com/kb/896861

    Also, have you confirmed that the secure store service is started from the CA perspective?

    Central Admin > Application Mangagement > Services on Server and started the Secure Store Service

    -Brandon


    Wednesday, May 23, 2012 3:10 PM

All replies

  • Hi,

    According to your narration, please grant the user permissions using the Secure Store Administrators feature in Central Administration.

    Steps are as follows:

    In Central Administration browse to Application Management

    Click Manage Service Applications

    Click to the right of the Secure Store Application link so the row appears highlighted. The objective is to activate the Administrators button in the menu ribbon. 

    Click on the Administrators button and add the user (or an appropriate security group including user) to the field. 

    Click Add, then check the "Manage target applications" checkbox. ("Manage target applications" represents the minimum access rights.)

    Thanks,

    Rock Wang


    Rock Wang TechNet Community Support

    Wednesday, May 23, 2012 6:34 AM
  • Hey J'son,

    This may be a shot in the dark but since everything is running on one box have you made sure to disable loopback check?

    To set the DisableLoopbackCheck registry key, follow these steps:
    1. Set the
      DisableStrictNameChecking
      registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
      281308  Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
    2. Click Start, click Run, type regedit, and then click OK.
    3. In Registry Editor, locate and then click the following registry key:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    4. Right-click Lsa, point to New, and then click DWORD Value.
    5. Type DisableLoopbackCheck, and then press ENTER.
    6. Right-click DisableLoopbackCheck, and then click Modify.
    7. In the Value data box, type 1, and then click OK.
    8. Quit Registry Editor, and then restart your computer.

    http://support.microsoft.com/kb/896861

    Also, have you confirmed that the secure store service is started from the CA perspective?

    Central Admin > Application Mangagement > Services on Server and started the Secure Store Service

    -Brandon


    Wednesday, May 23, 2012 3:10 PM