Error in PortalCrawl Web Service when crawling people with SharePoint 2010

I was playing with User Profiles and Search with SharePoint 2010 and I was getting some odd results.  First of all, I would get results from the user’s ‘my sites’, but not actual ‘people’.  By looking at the scopes, I could see that no results were available for the People scope.

So I checked up my crawl log and sure enough, I had a single error: Error in PortalCrawl Web Service.  Now that doesn’t really tell me anything so I checked out the logs and found the following 2 related messages:

10/27/2009 14:18:52.15     w3wp.exe (0x1540)                           0x18C8    Office Search Server              Common                            7ps2    Medium      PortalCrawl.GetSite(): System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.     at Microsoft.Office.Server.Administration.UserProfileApplicationProxy.DemandAdministrationAccess(UserProfileApplicationAdminRights rights)     at Microsoft.SharePoint.Portal.Search.PortalCrawl.PortalCrawl.GetSite(_PortalSite& sSite).    88e720df-4686-4aa5-bf8a-197ae1900bfb

10/27/2009 14:18:52.16     mssearch.exe (0x0738)                       0x1FF0    Office Search Server              Gatherer                          cd11    Warning     The start address sps3://my cannot be crawled.  Context: Application 'Search_Service_Application', Catalog 'Portal_Content'  Details:  Error in PortalCrawl Web Service.   (0x80042617)    

 

Now I could tell I had an access error so I validated my DisableLoopbackCheck registry key – it was already set;  checked the web application user policies (which is now in the Central  Admin > Security > Specify web application user policy), the search account already had its permissions; I even checked the http://my web site and the account also had permissions there.

When looking back at the error message – and more precisely the stack trace – I could see the class for UserProfileApplicationProxy – I hadn’t checked my proxy permission.

If you look at those permissions, there’s an explicit ‘Retrieve People Data for Search Crawlers’ checkbox.

SearchAccountPermission

 

Now, if you run the wizard to create your service applications, it will use the default account (which probably has too much rights) and give the right permissions.  When you go and change the ‘default content access account’, it will not give that permission – only the web application user policy ‘Full read’ permission.

 

Not sure if this behaviour will change for RTM or not so make sure you check the permissions for the content access account in the proxy ‘administrators’.

 

Maxime