I was setting up trusted domain for the people picker in SharePoint 2010. I was able to get it to work on one environment but not the other. On the environment that wasn’t working, the steps to set it up were all successful. The people picker however could not resolve any username, including those in the current domain.
Every time the people picker failed to resolve the username, there was this error message in the ULS:
An exception occurred in AD claim provider when calling SPClaimProvider.FillSearch(): Requested registry access is not allowed..
This is then followed by another message:
Claims Search call failed. Error Message: Requested registry access is not allowed. Callstack:
at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
The first message also appears in the Event Viewer.
The messages clearly indicate that something did not have access to read something from the Registry. I downloaded Process Monitor (http://technet.microsoft.com/en-us/sysinternals/bb896645) from MS Sysinternals, which is an incredible tool that allows us to monitor all access to the Registry (among other things).
Run this tool and set it to Show Registry Activity only, and filter it down to Process = “w3wp.exe” and Result = “access denied” as below:
This will quickly show that the problem occurs when the w3wmp.exe process tries to read the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\14.0\Secure. This is where the apppassword (set by the stsadm command) is stored.
Double click the failing entry in Process Monitor and you will see that the user who’s trying to read the Registry above is the app pool account of the SharePoint web app.
Check the permission of this Registry key and you will see that the following groups have read access:
- Network Service
- Local Administrators group
I added the app pool account to the local Administrators group, reset IIS and everything started to work. I checked the other environment where it was working and indeed the app pool account was added to the local Administrators group. (Probably better to add the app pool account to the WSS_Restricted_WPG_V4 group though).
Not sure why the app pool account was not setup properly by default or if I missed a required config step – but anyway it’s working now and I’m happy :).