Error: Could not install certificate. Script can be rerun to only set access rights when reason for error is detected. Access is denied.

Posted Monday, May 30, 2011 10:00 PM by CoreyRoth

In the FAST Search for SharePoint configuration process, getting your certificates configured correctly is probably the most important part of the process.  Without the certificates configured correctly, FAST simply will not work.  When running the script SecureFASTSearchConnector.ps1 on each SharePoint application server, you might encounter the following error.

Could not install certificate. Script can be rerun to only set access rights when reason for error is detected. Access is denied.

The error message might seem a bit confusing at first, but it simply is an access denied type error message.  How do you resolve it?  First, to the best of my knowledge, you can only run this script as the farm account.  I know running as the farm account is bad, but it’s the only way I have seen it work.  You might be able to get it to run with your setup account by granting enough permissions, but it’s hard to say.  Typically, I’ll just Shift+Right Click on my SharePoint Management Shell link and choose the Run as Different User menu option to specify the credentials of the farm account.  If you don’t have User Account Control (UAC) enabled, the script should run just fine. 

However, if your server has User Account Control enabled, this can also cause problems.  To my knowledge, you can’t do a run as different user + run as administrator at the same time.  This means you actually have you log into your box with the farm account via remote desktop.  I know, it’s not an ideal situation at all.  However, hopefully you haven’t removed your farm account’s administrator access yet when you were setting up the User Profile Service.  Once you log in as the farm account, run the SharePoint Management Shell as an administrator and then you will be able to execute this script. 

Be sure to run this script on each SharePoint server that will be hosting the Search Service applications.  This would also be a good time to remind you that the username parameter expects the name of the account running the SharePoint Server Search 14 service.  Be sure this is running as a new dedicated account and not the farm account.

Comments

No Comments

Leave a Comment

(required) 
(required) 
(optional)
(required)