I ran into an issue where we had some problems with our Shared Services provider, so per Microsoft we created a new one and associated all of the sites with it and made it the default SSP. So when we went to delete the SSP, it could not be deleted because it was still the Parent ssp. To change this you are supposed to go to Central Admin –> Application Management –> Grant or configure shared services between farms. When I tried this, I got an account is not valid error message (Sorry, I don’t have the exact text because the problem is fixed and I have no way to recreate it)
Here are the steps I followed to fix the problem
- Determine what account sharepoint thinks is invalid. You need to open SQL Admin Studio, connect to the Sharepoint Configuration database and run the following query
- select * from dbo.objects where name like ‘SharedServices’ (Replace SharedServices with the name of the SSP you are trying to get rid of)
- In the results, you should see one row of data. There is a column called Properties which is xml text. Select the contents of the column and paste into notepad so you can read it more easily
- Scan the contents of the properties column and you will see some entries that look like this:
- <sFld type=”String” name=”m_SecurityXml”><security><owner /><rules><rule><role>2</role><identity type=”NTAccount”>TESTDOMAIN\lflippo</identity></rule><rule><role>2</role><identity type=”NTAccount”>TESTDOMAIN\bgbpps2$</identity></rule></rules></security></sFld>
- Notice that two accounts are listed as owners of this SSP, lflippo and bgbpps2$. One or both of these accounts would be the problem account.
- Now that we have the two potential problem accounts, search for them in Active Directory and make sure they still exist and are enabled. In our case, lflippo was disabled and bgbpps2$ (a computer account) had been deleted. Recreate the computer accounts with the same name if they have been deleted and enable them if they are disabled
- Go to Central Administration –> Application Management — Grant or configure shared services between farms and you should now be able to pick your new SSP from the drop down and make it the parent. You will then be free to delete the old ssp.
I struggled with this problem for a long time, and I had considered recreating the missing accounts, but I assumed from what I knew of MS security, this would be a useless exercise since the new accounts would have a different SID. In this case, I was overthinking the issue. Obviously, the configuration step above only checks for the existence of the accounts by name, it apparently does not care about the SIDs. Or the other possibility (impossible to test now) is that because one account was disabled and the other was deleted, there was no valid account. Then by re-enabling the account that still existed, connectivity was restored. Because I did both in the same step I have no way to verify this, but I think months ago when I first encountered the problem I actually tried enabling the account that still existed. Anyway, if you encounter this problem, hopefully this will give you some options, and if you are able to test the different scenarios, let me know. I would like to know which step actually fixed the problem
Random Posts
Loading…