none
Unable to Register Managed Account

    Question

  • Error occuring while registering a new Managed Account

    The given key was not present in the dictionary.
    Wednesday, December 02, 2009 3:34 AM

Answers

  • Try this:

    1. Open up "Active Directory Users and Computer"
    2. Select "Advanced features" from the "View" menu
    3. Right-click the relevant account and select "Properties"
    4. Select the "Securities" Tab
    5. Scroll down and select "Authenticated users" in the "Group or user names:" field
    6. Allow "Read" permissions in the "Permissions for Account Operators" field just below
    7. Hit Ok

    This solved the issue of registering new managed accounts for me...

    • Marked as answer by Mohan D Tuesday, December 22, 2009 8:10 AM
    Thursday, December 10, 2009 10:44 PM

All replies

  • People will be able to help you if you supply more info and be more descriptive in your question.

    Here are few things you can tell us:
    1) How are you creating a new managed account?
    2) Is it SharePoint Foundation 2010 or SharePoint Server 2010?
    3) What is your SharePoint Server 2010 environment? Windows Server 2008 or WS 2008 R2 or Windows 7?
    4) SharePoint 2010 installed in a Domain Controller or local account ?
    Regards,
    Chakkaradeep || SharePoint Developer - MCTS SharePoint Dev, WSS Dev
    http://www.intergen.co.nz || Twitter: http://twitter.com/chakkaradeep || http://www.chakkaradeep.com
    Wednesday, December 02, 2009 5:55 AM
  • 1) From Central Administrator -> Service Accounts -> Register New Managed Accounts
    2) SharePoint Server 2010
    3) WS 2008 R2
    4) Not a Domain Controller.

    Wednesday, December 02, 2009 6:27 AM
  • All,

    I am also experiencing a similar issue.

    SharePoint 2010 ENT
    Server 2008R2 WFE's and DB (SQL 2008 SP1 CU2)
    Active Directory Services 2008

    I created an account in AD for an App Pool.
    When I go to register the account (From Central Administrator -> Service Accounts -> Register New Managed Accounts)

    I enter the new account username with and without the realm - See below  
     

    Service account credentials

        

    User name

     

     

     

     

     

    Password

     

     

     

     
    Once applying the Account Registration I receive the following error.
    The given key was not present in the dictionary.

    I also get the same error when using the CA Wizard for Service Accounts. 

    Error

    Error

    The given key was not present in the dictionary.
    Troubleshoot issues with Microsoft SharePoint Foundation.
    Correlation ID: 2fa39210-cfe9-4649-a190-d00c562c0ca4
    Date and Time: 12/2/2009 2:50:05 PM

    I also granted this account adminstrative rights on the WFE's and DB's to isolate any permissions issues and removed any firewall and IPSEC security.

    No unusal ULS, SCOM, Win Logs, Application/Service Events, etc...
     
    -Cory
    Manager of Technology Services - Indiana University Student Enrollment Services
    Wednesday, December 02, 2009 7:34 PM
  • Hello,
    I also get the same error on an Server 2008 R2 environment installing SharePoint Server Enterprise 2010 Beta.
    We have some Domain Controller in our company and running on Active Directory.
    It seems the user I used for installing SharePoint needs Read-Permissions to read information from the Active Directory.

    In this post [http://social.msdn.microsoft.com/Forums/en-US/sharepoint2010general/thread/b3d31931-9d6b-4b68-8f7b-d8df55601beb/] somebody pointed me to this site [http://ethan-deng.com/SharePoint2010InstallationIssues.aspx].

    We tried to add read permissions to the AD for the Administrator Account I used for installation of SharePoint. But I still get the same error trying to register a new Managed Account.

    Any suggestions?! Maybe we miss some permissions. Does anyone know what information (I only know about the passwort change requirement stuff) SharePoint wants to get from the AD?

    Thanks.

    Christoph

    Thursday, December 10, 2009 5:18 PM
  • Try this:

    1. Open up "Active Directory Users and Computer"
    2. Select "Advanced features" from the "View" menu
    3. Right-click the relevant account and select "Properties"
    4. Select the "Securities" Tab
    5. Scroll down and select "Authenticated users" in the "Group or user names:" field
    6. Allow "Read" permissions in the "Permissions for Account Operators" field just below
    7. Hit Ok

    This solved the issue of registering new managed accounts for me...

    • Marked as answer by Mohan D Tuesday, December 22, 2009 8:10 AM
    Thursday, December 10, 2009 10:44 PM
  • This Solution Worked for me....

    Thanks
    Tuesday, December 22, 2009 8:11 AM
  • Anders,

    This is good information.

    Unfortunately, the university environment (Higher ED in general) consists of several engineers that work in very specific areas such as AD administration, SharePoint, etc...
    Asking our AD administrators to change the security for several service accounts and give authenticated users read access will need more justification.

    Do you know which specific AD accounts need to be allowed Read access to an account…seems vague, do you happen to know which attributes are really needed and why?  An authenticated user is a really large group.

     


    Which accounts need read access to which attributes?  Make sense?

    Thanks,

     

    -Cory

     

     


    Manager of Technology Services - Indiana University Student Enrollment Services
    Monday, December 28, 2009 3:23 PM
  • The thread is getting old, but I still will echo Cory's concerns here.  Why give all Authenticated Users "Read" access to a service account?  In keeping with best practices, I would prefer to grant more limited permissions (principal of least privilege). 

    It is just the SharePoint "Access" Account that needs "read" access to the  managed account properties?  Or is it the user running the configuration wizard? 

    -Greg Mackinnon
    University of Vermont
    Monday, February 01, 2010 3:45 PM
  • Thanks for providing more feedback Greg.

    Has anyone been able to isolate this account access further (Farm account Read access to the AD service account (AD User) or the servers in the farm, etc.)?

    Help us Anders, the overall solution works perfect, we just need a little more clarification :)

    -Cory
    Manager of Technology Services - Indiana University Student Enrollment Services
    Friday, February 05, 2010 9:32 PM
  • I got the same error listed here and when I granted read access only to the Farm Service Account (the one used when installing SharePoint 2010 from the start) it worked.  I didn't attempt to isolate the permissions further than just granting full read access, but at least now it's only one service account having read access to another.

    TC
    Worcester Polytechnic Institute
    • Proposed as answer by TG99 Monday, June 07, 2010 7:18 PM
    Tuesday, March 09, 2010 2:40 PM
  • I tried the registering managed accounts fix, with no luck either.

    Ok, here's what worked for me, at least in test.  Our prod server has a remote database server, as expected, but our test server has it's own local database server.  The app pools were configured for network service.  Once I granted network service temporary local admin rights I can get past this error during installation.  Now all I have to do is figure out a permanent fix...possibly changing the app pools to local system or even the AD sharepoint admin account.

    Hope this helps someone else out...

     

    Thanks,

    Paul

    Tuesday, April 27, 2010 8:11 PM
  • Similar to TomCollinsWPI: granting Read access to the Sharepoint 2010 farm account (not the setup account) for a pre-existing domain account allowed me to successfully add that domain account as a registered managed account in Central Admin.

    Edit: On a sidenote, as a separate issue I was plagued with event 28005 errors where MSSQLSERVER was saying it could not obtain information about the Sharepoint farm account. Using a similar strategy as above, on the farm account I granted Read access to the sql server account in AD. Event 28005's immediately ceased. (Environment: SP2010 Enterprise w/SQL2008R2 on Srvr 2008R2)

    Monday, June 07, 2010 7:23 PM
  • After some testing I found it sufficient to grant only the "Read Account Restrictions" permission of the relevant managed account to the SharePoint Farm account. No other permissions were necessary to register a new managed account.

    -Björn

    • Proposed as answer by GregMitchell Tuesday, May 10, 2011 4:57 PM
    Thursday, June 17, 2010 10:16 AM
  • Hi Everyone,

    I think we have a solution.

    A colleague of mine discovered a workaround using the SharePoint 2010 Management Shell (run as Administrator) using the PowerShell New-SPManagedAccount command to apply the credentials to add the service account.  Since the GUI doesnt appear to work, my guess is that this is a bug...

    This posting will help you with the PS syntax.
    http://blogs.technet.com/b/wbaer/archive/2010/04/11/managed-accounts.aspx

    Hope this helps,

    -Cory


    Manager of Technology Services - Indiana University Student Enrollment Services
    Thursday, June 17, 2010 1:47 PM
  • Thank you for your post, Cory.  I was able to add the credential despite this error using the SharePoint PowerShell.  Don't run the follow commands until you read the rest of this post.

    $cred = Get-Credential "DOMAIN\svc_SP_User_Content"
    <prompted for the specified account password>
    New-SPManagedAccount -Credential $cred

    Except now I get the ugly error in Central Administration.  The error wouldn't relent until I added the Farm account to the Account Operators domain group.

    Monday, October 04, 2010 2:40 AM
  • Hi Everyone,

    I wanted to provide an update on this issue and let you know that we are still trying to identify the exact Read attributes required for the service accounts to operate appropriately in SharePoint and SQL 2008.

    I also believe this affects the PowerPivot functionally when slicing Excel data. The data connection uses Windows Authentication and user credentials could not be delegated. The following connections failed to refresh:  PowerPivot Data

    When I get the exact list of attributes required I’ll post these.

    Thanks

    -Cory


    Manager of Technology Services - Indiana University Student Enrollment Services
    • Proposed as answer by GregMitchell Tuesday, May 10, 2011 4:53 PM
    • Unproposed as answer by GregMitchell Tuesday, May 10, 2011 4:54 PM
    Saturday, January 15, 2011 3:47 PM
  • Hi all,

    We faced the same problem. The solution provided by Anders Skjoenaa worked for us.

    Thanks for this discussion!

    Monday, March 26, 2012 10:21 AM
  • As Cory mentions, it can be a security concern to allow read for all these accounts by all other AD authenticated users. However, I don't know of any other way to set this up, especially with SharePoint 2013; all domain accounts used have to be read by all authenticated users for Claims Authentication to work on the domain - at least this is what I believe now.
    For an intranet, it can be easier to convince the AD/IT folks to do this. It also helps to strictly manage SharePoint security by the book - e.g. remove the farm account from the app server's admin group(s) after installation and full configuration (with allow logon and as a service locally), while remembering to add it on as admin just at update times. 

    Thanks for the discussion, indeed.

    Radu P.

    Tuesday, July 23, 2013 2:31 PM
  • Hi,

    I have 2 SharePoint 2013 servers. On 1 off them I installed without issues. On the other I had to apply this fix.

    Any ideas?

    Thursday, April 02, 2015 12:03 PM
  • Hello Anders,

    Your workaround worked for me.

    I have a Single SharePoint 2013 server farm with SAML. 

    Bets of luck for all of you

    Monday, September 28, 2015 12:06 PM
  • Thank you for the post .. Its working for me

    Thursday, November 10, 2016 1:25 PM