SharePoint 2010 Error Message: The given key was not present in the dictionary


Symptoms


Consider the following SharePoint 2010 setup and configuration scenarios, any of which may exhibit the error message: "The given key was not present in the dictionary"

  1. When running the SharePoint Configuration Wizard, the account defined as the farm administrator account is different than the install account (the account you are logged in as). 
  2. When running the Farm configuration wizard after a new SharePoint install (during initial Farm setup)
  3. When attempting to register a new Managed Account in Central Administration > Security

Cause


The account you are attempting to work with cannot be queried by the SharePoint system in Active Directory.  The account you are currently logged in as may not have READ permission to the target account you are attempting to use.  This would apply to any of the three scenarios above.

More specifically, in the case of trying to add managed accounts, the farm service account (the one running the central admin app pool and the timer service) needs to have the “Read Account Restrictions” permission to the account you are trying to add as a managed account.

The farm service account needs this permission so that it can check if the account you are trying to register is under any restrictions, when the password will expire, when the password was last set, etc.  You can see all the properties covered by this permission here:

http://msdn.microsoft.com/en-us/library/ms684412(VS.85).aspx

Resolution


Method 1:

The following steps assume two things:

  • You are a domain administrator or have rights to make the following changes in Active Directory.
  • You have access to a computer with Active Directory Administrative tool pack installed
  1. Open Active Directory Users and Computers
  2. Find the service account you are attempting to add or the Farm administration account (if the error occurs when running SharePoint Configuration Wizard) 
  3. Select "Advanced Features" from the View Menu
  4. Open the properties of the desired account
  5. Select the "Security" tab
  6. Find Authenticated Users and give them READ permission on the user object
    • For example, the user object may be your Farm administrator account or the managed account you are attempting to add, depending on the scenario in the Symptoms section
  7. Click OK to close out and try again. You may want to consider doing this for any managed accounts you define in Central Administration

 

Method 2:

For those customers who demand “least privilege”, Method 1 may not be acceptable.  In this case you can do this:

1.      Open Active Directory Users and Computers

2.      Find the service account you are attempting to add as a managed account.

3.      Select "Advanced Features" from the View Menu

4.      Open the properties of the desired account

5.      Select the "Security" tab

6.      Find your farm service account (the one running the central admin app pool and the timer service) and give them the “Read Account Restrictions” permission on the user object.

Note: if the error occurs when running the configuration wizard, use method 1 to get through the wizard and then revert method 1 and use method 2 to tighten security.

More Information


Reference Links: