Tuesday, July 12, 2016

SharePoint 2013: User profile crawl failure: Access is denied


During routine system checking of development farm, found that when a full crawl was launched on user profile content source, crawl failed completely with the following error:
1 Access is denied. Verify that either the Default Content Access Account has access to this repository, or add a crawl rule to crawl this repository. If the repository being crawled is a SharePoint repository, verify that the account you are using has "Full Read" permissions on the SharePoint Web Application being crawled. 


  1. Check database roles and mapping: found that default content access account (e.g., spContent) added to database server login, with server role Public and mapped to all farm databases as public database role.
  2. Check My Site web application user policy: found that default content access account configured with Full Read.
  3. Check User Profile Service Application permissions: all appropriate service accounts added and configured with Full Control, including: farm service account (e.g., spFarm), application service account (e.g., spApp) and admin account (SharePoint Setup User Admin, e.g., spAdmin).  Compared with production and found that service service account (e.g., spService) also added her in production but not in development.  Added service service account to UPA permissions with Full Control.  Then retried UP content source crawl: still complete failure.
  4. Check User Profile Service Application Administrators: found farm (spFarm), SharePoint Setup User Admin (spAdmin) and my own administrator account configured with full control.  Compared with production and found content crawl account (spContent) missing: on production, this account configured with Retrieve People Data for Search Crawlers permission.  In development, added this account to UPA Administrators and configured with Retrieve... permission.  Then retried crawl: this time, crawl continued to completion.


  • Among other possibilities, be sure to check that the default content crawl account has been configured with the Retrieve People Data for Search Crawlers permission in the UPA Administrators dialog.


  • It's been awhile since I engaged in routine deployment efforts and so initially missed the significance of configuring a crawl account with the Retrieve People Data for Search Crawlers permission.  Also the crawl log error that was entered is misleading: it directs attention to verifying permissions in the web application, not the service application.

No comments: