none
SharePoint 2010 - Server Farm Administrator: Cannot create Service Applications and Web Applications (“This control is currently disabled”) RRS feed

  • Question

  • We have installed SharePoint 2010 Beta 2 on Win 2008 R2 and SQL Server 2008 SP1+CU2.

    We have created service account as described in the following TechNet article http://technet.microsoft.com/en-us/library/ee662513(office.14).aspx and following least privilege model.

    After running the setup and finishing “SharePoint 2010 Products Configuration Wizard” using “Setup user account” the Central Administration web is up and running.

    For further configuration we logged in with “Server Farm Account” and when we go to “Manage service applications” page the button to create new service application is disabled and if we hover over the disabled button it says “This control is currently disabled”. Same thing happens when we go to “Manage web applications” page and the “New” button on ribbon is disabled with same error message. We also could not see the “Launch the Farm Configuration Wizard” link under configuration wizard page.

    Apparently when we login back as “Setup user account” we can see all the buttons activated and also the ability to launch the farm configuration wizard.

    Is there some configuration or privilege we are missing for “Server Farm Account”. The “Server Farm Account” was part of “Farm Administrators” group after the initial setup and configuration wizard. It was not in the “Site Collection Administrators” group for “Central Administration” site, as expected it didn’t make any difference after having added it to the “Site Collection Administrators” group. If we add the “Server Farm Account” to the local administrator’s group thing starts to function as it should have been but now it no more a least privilege model.

    Is this the way it has to be operated? The setup user account is local admin on the box. So what’s the purpose of the “Server Farm Account” which doesn’t even have permission to create web applications?


    Sameer Dhoot
    My Blog : http://sharemypoint.in/
    Monday, February 15, 2010 12:25 AM

Answers

  • Hi Sameer,

    Please run Internet Explorer as an administrator and then the all controls in Central Administration should be enabled. Please let me know if this resolves the issue.

    Thanks,
    Prashanth

    Friday, February 26, 2010 3:38 PM

All replies

  • I'm getting this same error with an account that has been working for some time. It is also the Server farm account and has already been used to create multiple web applications and service applications. All of a sudden, when I go to manage web applications, all of the top-layer items are greyed out with "This control is currently disabled."

    The account is a member of the farm administrators group, the local admin group on the server (it's a two-server setup with separate domain controller) and has the dbcreator and securityadmin roles within SQL. I can't think of what changed since it was able to perform these actions and now...
    Friday, February 26, 2010 1:27 AM
  • I'm getting this same error with an account that has been working for some time. It is also the Server farm account and has already been used to create multiple web applications and service applications. All of a sudden, when I go to manage web applications, all of the top-layer items are greyed out with "This control is currently disabled."

    The account is a member of the farm administrators group, the local admin group on the server (it's a two-server setup with separate domain controller) and has the dbcreator and securityadmin roles within SQL. I can't think of what changed since it was able to perform these actions and now...

    This also happened to me and figured out that "Internet Explorer Enhanced Security Configuration" was enabled and none of the ActiveX controls could load.

    Also i have read couple threads where the problem was User Account Control and you need to right click IE and say run as Administrator.

    Sameer Dhoot
    My Blog : http://sharemypoint.in/
    • Proposed as answer by Daniel Bedarf Wednesday, May 19, 2010 3:51 PM
    Friday, February 26, 2010 5:49 AM
  • Hi Sameer,

    Please run Internet Explorer as an administrator and then the all controls in Central Administration should be enabled. Please let me know if this resolves the issue.

    Thanks,
    Prashanth

    Friday, February 26, 2010 3:38 PM
  • Hey Prashanth

    Thanks a lot for the solution provided.

    It works for me. Still I don't get what is the issue behind with this elevated permission.


    Eugene Vasile
    Monday, March 8, 2010 9:15 PM
  • Hi Sameer,

    Please run Internet Explorer as an administrator and then the all controls in Central Administration should be enabled. Please let me know if this resolves the issue.

    Thanks,
    Prashanth


    Prashanth,

    That's is exactly what i described in my earlier reply. But this still does not solves my problem.

    Sameer Dhoot
    My Blog : http://sharemypoint.in/
    Friday, March 12, 2010 1:15 AM
  • I did hit the same problem today. Just installed SharePoint 2010 Beta "as usual" but the new-button for Service Application does not work. Other installations just worked fine...

    I disabled UAC, runned IE as administrator, nothing worked. One "hack" would be to use the application-pages (directly via url) for each Service Application. The urls can be retrieved from a working SharePoint environment.

    Anyone found another solution for this bug?

    Greetings
    Eric
    Thursday, March 18, 2010 12:28 PM
  • Hmmm ... just found out a solution! I re-run the Configuration Wizard! No its working again! Sweet ... :-)

    Greetings
    Eric
    Thursday, March 18, 2010 12:30 PM
  • Running IE as administrator allowed the Manage Services on Server link to appear which was what I needed. Thanks!
    Wednesday, March 24, 2010 2:51 PM
  • I had the same probelm, I do not have the option of run as admin as I'm using Windows XP system to browse a remote system. When I add that user to the local admin group and it started working, but it looks w-e-i-r-d to me:)
    Friday, June 11, 2010 7:01 PM
  • I had a similar problem after the following install (all GA products) on AMD X64 machine:

    1] Windows 7 Enterprise
    2] SQL Server 2008 Standard (plus SP1 and other required CUs and hotfixes)
    3] SharePoint 2010 (plus .Net 4)

    The above install wasn't as simple as I stated because of all sorts of required
    SPs, CUs, and hotfixes. Worst yet, there is no single documented page that 
    shows all this. Hopefully, Microsoft can improve this experience or at least 
    provide a single web-page that shows precise steps with required installs/updates.

    Back to the original issue. After the install, I went into the Central Administration
    and went to Application Management, but to my surprise the "New" button to 
    create the Application was disabled. 

    However, when I started the Central Administration as administrator, (thank goodness)
    the "New" Application button became enabled and I was able to proceed just fine.

    You can start the Central Administration as administrator by:
    1] Go to Start menu
    2] Select All programs
    3] Select Microsoft SharePoint 2010 Products
    4] Right click on the SharePoint 2010 Central Administration
    5] Select Run as Administrator

    In fact, it wasn't just the Application Management screen I had trouble with
    but starting Central Administration as "administrator" mode solved it all.
    We don't see this in some other Windows 7 machine, so it could be some Windows
    security setting...which I am still investigating.

    Good luck.

     

     

     

     

    Saturday, July 10, 2010 9:31 PM
  • John,

    Thanks a lot for your steps
    It works for me. Still I don't get what is the issue behind with this elevated permission.

    I am on Win2008 with spadmin account

    Thank you

    Neel

    • Proposed as answer by Neel0 Wednesday, December 8, 2010 7:20 PM
    Thursday, July 22, 2010 1:33 PM
  • To me it seems that the legacy of MOSS continues...

    In MOSS (If anybody of you might have encountered the similar issue) when you install MOSS, you will notice that CREATE/EXTEND A NEW WEB APPLICATION link is missing (even if you add the site to trusted sites or try something else in IE).

    But If you add the service account to local Administrators group (which is against MSFT's minimum previleges recommendation), create or extend a web application link will appear.

    Similarly in SP 2010, if you add your service account (or with which you are logging-in) to local admins group, NEW service application won't be greyed out anymore. Thats the reason I mentioned MOSS's legacy continues.

    But still I am not sure about the connection between minimum previleges recommendation about service account and this issue.

    Thanks...

    Ravi

    Friday, August 6, 2010 6:30 AM
  • I was experiencing this problem within my dev environment, no AD domain - just using local server accounts.  I resolved the issue by adding the farm admin account to the local machine Admin group and disabling UAC on the server (just one or the other won't do it). 
    Thursday, November 18, 2010 11:06 PM
  • Hi All

    I'm logged in as the domain admin.   The farm account has local admin on the server and SA on the SQL server.  I've:

    - disabled Internet Explorer ESC

    - disabled UAC and tried running IE as admin.

     

    But the controls are still disabled.  Any idea what to look for next?  Thanks.

    Thursday, February 10, 2011 5:28 AM
  • Just do the below 2 steps,this issue will be fixed..

    1.Run the IE in Administrator Mode
    2.Disable the "Internet Explorer Enhanced Security Configuration".

     

     


    Sures R | Sharepoint Developer | http://sharepoint-sureshkumar.blogspot.com
    Wednesday, March 9, 2011 1:09 PM
  • I have the same problem yet still no luck from those solutions.  The point is that farm administrator should not be the local administrator so this account should not login to WFE directly just for the ability to run central admin.  Therefore "run as administrator" won't help.  Tried disable "UAC" and IE "ESC" didn't help neither.  Any suggestion/solution, please?

    Thanks in advance.

    Friday, July 29, 2011 2:59 PM
  • I tried the above solutions (notably, I tried accessing Central Administration from IE running as Administrator) to no avail. However, when I added the site to the Local Intranet (IE9: Tools, Internet Options, Security), I suddenly had all the controls enabled. This is on a single development computer (Windows 7 64-bit) installation.
    Wednesday, January 4, 2012 9:52 PM
  • There are many solutions posed in this thread, here is a summary of them that seem to resolve the issue:

     

    • Launch Central Administration using Run As Admin
    • Launch IE using Run As Admin
    • Turn off IE Enhanced Security Configuration
    • Add the Central Admin site to Intranet or Trusted Sites

     

    One other that I would add as well that can resolve this, is to add the Admin account to local admins on the server. If you use "Run As Admin" then give it an account that does not have admin priviliges on the server, you will not truly be running as Admin.


    Thanks, James Waymire - Senior Premier Field Engineer - SharePoint - Microsoft Corporation
    Thursday, January 19, 2012 12:28 AM
  • I hope there are more ideas. I am still having no luck. I have a standalone install using local accounts on a non-domain 2008 server. I am logged in as my SP_Admin account and even that one fails to add additional farm admins. I have tried other additions, such as adding site owners and other group members, and those functions are all fine. It is just this inability for the system to recognize my accounts as local admin members.

    As it reads in the Windows Application Log:
    "Local administrator privilege is required to update the Farm Administrators' group."

    Help!!

    Thanks!

    Wednesday, February 1, 2012 3:33 PM
  • The only way I have found to resolve this is to add any Farm Administrator accounts that fail to gain full permissions within Central Admin to the local administrator groups on all the servers in the farm (not the domain\administrators group).

    ---------- Mark Locke

    • Proposed as answer by TerriMorgan Saturday, July 28, 2012 7:34 PM
    Thursday, March 15, 2012 10:53 AM
  • worked just fine!
    Tuesday, May 29, 2012 7:13 PM
  • A great way to do this if you have to go this far, is to have an AD group that all your farm admins are part of, and add that via GPO to the local admins group for each of the SharePoint servers in the farm. If you have to add new servers to the farm, you just need to make sure they receive the GPO.
    Tuesday, May 29, 2012 7:49 PM
  • Right clicking on IE and selecting "Run as administrator" worked for me when launching the CA to create the new Fast Search Service Application.
    Thursday, July 19, 2012 1:08 AM
  • My Farm account _was_ Admin (AD) with full rights for the server and SharePoint, but was not a local admin -- on the server hosting Central Admin. I could not create a new web application. 

    Once I gave the farm account local admin permissions on the CA server, voila. I did not test this to verify if I had to give permissions for all the servers in the farm. 

    Control Panel - User Accounts - Give Permissions - Farm account = Administrator
    Then log out and log in again (if logged in with the Farm account 

    For me, the problem did not have anything to do with IE or zones or any of the obscure hoo-ha that MS "contingents" reference.  (I tried all that; did not work)

    Once the local admin permissions are set for the farm account, there's no need to explicitly "run as admin" because that's already happening (provided you are logged in with the farm account). 

    I expect an Error from SharePoint telling me that the Farm account is also a local admin. (y'think?)


    Terri Morgan


    • Edited by TerriMorgan Saturday, July 28, 2012 7:53 PM expanded
    Saturday, July 28, 2012 7:40 PM
  • I expect an Error from SharePoint telling me that the Farm account is also a local admin. (y'think?)


    Terri Morgan


    Ha, yeah.  It's gonna bark at you. Learn to love the red ribbon in CA!

    Mike Griffin - Seattle

    • Proposed as answer by Ms. Me Friday, June 7, 2013 1:34 PM
    • Unproposed as answer by Ms. Me Friday, June 7, 2013 1:34 PM
    Sunday, August 5, 2012 5:03 AM
  • We had a similar issue, the user had full administrative access to the farm in SharePoint.  Come to find out the security group the user was in did not have administrative rights to the server.  Once he had rights the the server the grayed out icons went away. 
    Friday, June 7, 2013 1:39 PM
  • Worked for me!  Also solved an "unexpected error" when trying to add a new user to the farm admins group.
    Monday, February 10, 2014 11:20 PM
  • There are many solutions posed in this thread, here is a summary of them that seem to resolve the issue:

     

    • Launch Central Administration using Run As Admin
    • Launch IE using Run As Admin
    • Turn off IE Enhanced Security Configuration
    • Add the Central Admin site to Intranet or Trusted Sites

     

    One other that I would add as well that can resolve this, is to add the Admin account to local admins on the server. If you use "Run As Admin" then give it an account that does not have admin priviliges on the server, you will not truly be running as Admin.


    Thanks, James Waymire - Senior Premier Field Engineer - SharePoint - Microsoft Corporation

    Experienced a similar situation at one of our clients, weird thing was it affects users that are mem of local admin via nested groups nested inside other groups, and doesn't matter if you add those users directly. All of the advice given on this post and others didn't affect the situation.  Another weird thing....

    Other users that have admin on the farm via BUILTIN\Administrators were not affected.  work around for users that are nested into the local admins and mem of farm admins, ---was- - - - all of the advice from Kiefer plus start inprivate browsing then remove inprivate.  So once user is logged in, and on central admin, and controls are not illuminated\are greyed out, hit Ctrl+Shift+P for inPrivate Browsing and control illuminated.   Then after giving inPrivate Browsing, close browser and open normally, user has ability to use web application management, via _admin/WebApplicationList.aspx


    Stacy Anothersharepointblog.blogspot.com




    • Edited by Stacy Simpkins Friday, August 29, 2014 1:32 PM inprivate browsing on off
    Friday, August 29, 2014 1:26 PM