[SP2013] OpenSearch “access is denied” for authenticated sources
OpenSearch is a search protocol which can be used in SharePoint to query systems other than SharePoint iself. You can find OpenSearch when configuring a new search result source. One of the most common examples is displaying Bing search results within SharePoint. You can find a great post on that topic by Jasper Oosterveld here.
Now that’s one great use of OpenSearch. Another cool thing you can do is build your own OpenSearch compatible webservice. Basically that should return an RSS feed with some specific tags in it. SharePoint will then display these results in a result web part.
In some cases, you might want to restrict access to such a webservice. It might, for instance, return results that come from a line of business application. Well fortunately, OpenSearch result sources in SharePoint support several different authentication schemes such as Basic, Digest and NTLM. But when setting this up, there’s a possibility you’ll run into this error: “Access is denied“. This pops up after saving your result source.
Your first suspect will be the authentication on the webservice and somehow SharePoint is not passing the credentials in the correct way. I thought the same. Untill I started poking around in the registry and found this:
"SearchServiceApplication::AddResultSource--Error occured: System.Security.SecurityException: Requested registry access is not allowed. at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable) at Microsoft.SharePoint.Administration.SPCredentialManager.GetMasterKey(SPFarm farm) at Microsoft.SharePoint.Administration.SPCredentialManager.GetFarmEncryptionKey(SPFarm farm) ..."
Hmm… so could it be the error has nothing to do with the actual webservice authentication, but is some internal error of SharePoint? I used ILSpy to peek inside the Microsoft.SharePoint dll to find out which registry key was being accessed:
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Shared Tools\\Web Server Extensions\\15.0\\Secure\\FarmAdmin
The obvious thing to do is to grant “Everyone” access to the key and try again. And voila! It works! I can now successfully add an authenticated OpenSearch result source and use it in SharePoint.
Of course, granting permissions to everyone is not what you want to do here. So I performed some good old trial & error to find out that it’s the account running search service that needs access to the key. I found that the group WSS_RESTRICTED_WPG_V4 does have access by default so I decided to add the account into that group (just in case it misses some other permissions as well). Note that you might want to open up a support case with Microsoft to get a validated solution, this one might put you at risk!
Why the account doesn’t have this access in the first place is the question I also asked myself and to which I don’t have an answer yet. Stay tuned for that one (if I ever find out, I’ll update this post).