I. Be sure the sandboxed host service is running on the appropriate servers. The service is called Microsoft SharePoint Foundation Sandboxed Code Service in Central Admnistration. It is called SharePoint 2010 User Code Host in Windows Services. It can be started in either place.
If you have configured the sandbox to run in local mode, then the service must be running on every front-end web server. If you have configured it to run in remote mode (sometimes called affinity mode), then it must be running on at least one server in the farm. To determine which mode is being used open Central Administration and navigate to System Settings | Manage User Solutions. Scroll down to the Load Balancing section where the mode is set.
II. Another known cause is certain values in the local computer policy of the servers running the sandboxed host service. The following values should not be enabled.
Computer Configuration -> Administrative Templates -> System -> Remote Procedure Call -> RPC Endpoint Mapper Client AuthenticationIII. Another known cause is that SharePoint is trying to check for certificate revocations at crl.microsoft.com. The following are workarounds:
Computer Configuration -> Administrative Templates -> System -> Remote Procedure Call -> Restrictions for Unauthenticated RPC clients
A. There is a registry key that is used by the sandboxed solution infrastructure and sometimes gets the wrong value. To ensure that it is set to the correct value, take these steps on all servers that are running the sandboxed host service :
- On the server, click Start | Administrative Tools | Services.
- On the Services dialog, scroll to SharePoint 2010 User Code Host.
- Note the full user name in the Log On As column. You will need this information later.
- Open SharePoint Management Shell.
- Enter the following at the command prompt, including all punctuation.
(Get-SPManagedAccount –Identity “username”).Sid.Value6. Open the registry editor and navigate to:
Replace username with the name you obtained in step 3. E.g., Domain\FarmAdmin
This will return the user’s SID (Security ID), which you will use in a later step.
7. Be sure the State key value is set to 0x00023e00.HKEY_USERS\SID you obtained earlier\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
8. Restart the sandboxed host service on all servers on which it is to run. It cannot hurt to do an iisreset as well.
B. You can redirect these attempts by adding the following line to the end of the hosts file located at C:\Windows\System32\drivers\etc:
127.0.0.1 crl.microsoft.comThis must be done on all servers running the sandboxed host service. Then restart the SharePoint 2010 User Code Host service on all these servers. It cannot hurt to do an iisreset as well.
C. The following workaround changes configuration files which ship with the product which means you may have to redo these steps if the files are ever overwritten by a service pack or other reinstallation.
- Navigate to %SHAREPOINTROOT%\UserCode
- Open each of the three *.exe.config files and add the following element as a child of the
element:
<generatePublisherEvidence enabled=”false”/>
- Steps 1- 2 must be done on all servers running the sandboxed host service. Then restart the SharePoint 2010 User Code Host service on all servers. It cannot hurt to do an iisreset as well.
