You are using the SharePoint On-Premises version. The issue described in this blog is related to incoming email in SharePoint and People Picker feature.
Issue & Investigation
We’ve seen two errors – one on incoming email and the other on people picker-
- Error 1: Cannot retrieve the information for application credential key
- Error 2: PeoplePicker-SearchADForests was not working
These two errors are co-related to each other. People picker issue is the root cause and incoming email issue is the result which is coming due to PeoplePicker-SearchADForests. In my case there were two WFE. When the request is hitting the server WFE1, the email has been picked up by incoming email timer job but not delivering it to respective list and library but at the same time when the request is hitting WFE2 the email gets delivered.
Event viewer warning message on WFE1 has been found.
An error occurred while processing the incoming e-mail file c:inetpubmailrootdrop29bf543301d0ae7b00000016.eml. The error was:
Cannot retrieve the information for application credential key.
PeoplePicker-SearchADForests has not been working. We get the following error when searching for users…FAIL:
There was an error in the callback.
AppCredentialKey is the information used to encrypt/decrypt the information you pass into People Picker-SearchADForests. This information has to be the same across all the servers. In our case, I checked the registry key, and used beyond Compare to validate that the entry was identical on all the servers.
HKEY_Local_MachineSOFTWAREMicrosoftShared ToolsWeb Server Extensions12.0Secure AppCredentialKey : REG_BINARY
Now it looks fine and the permission has been verified.
On the “HKLMSoftwareMicrosoftShared ToolsWeb Server Extensions12.0Secure” registry key ensure the following permissions are in place and are being inherited in the sub-keys
* WSS_WPG Read permission * WSS_Admin_WPG Full Control
As per the issue, it looks like a new app password should be set up.
Following are the steps to set up the app password:
1. Get and copy the peoplepicker-searchadforests property value via stsadm command: This has been performed on all SharePoint servers i.e. WFE1, WFE2 and APP server.
stsadm -o getproperty -url https://insite.XYZ.com -pn peoplepicker-searchadforests
Note: https://insite.XYZ.com is name of web application URL.
2. Clear the peoplepicker-searchadforests property value via stsadm command: This has been performed on all SharePoint servers i.e. WFE1, WFE2 and APP server. stsadm -o setproperty -url https://insite.XYZ.com -pn peoplepicker-searchadforests -pv “”
3. Rerun the password encrypt command with different password: This has been performed on all SharePoint servers i.e. WFE1, WFE2 and APP server.
stsadm -o setapppassword -password ABCD
New password can be anything you want. I have used ABCD.
4. Set the peoplepicker-searchadforests property value via stsadm command: This should be performed in only one server of the farm, this information is stored in the configuration database, no need to run it more than once for each URL where you want the people picker. This command has been executed from APP Server.
stsadm -o setproperty -url <web application url> -pn peoplepicker-searchadforests -pv forest:<source forest>;domain:<trusted domain>,<trusted domain><account>,<password
Testing and Verification
In WFE1, this has been opened:
Incoming email has been tested. It started working and delivering email to list and library from WFE1’s drop folder.
This error happens when one server’s property conflicts with another server’s property in SharePoint config DB and it breaks existing app password of the farm.