When configure SharePoint Single Sign-On (SSO), sometimes you’ll get “You do not have the rights to perform this operation.” error message on the “Manage Settings for Single Sign-On” page and subsequently “User DOMAIN\USERID failed to configure the single sign-on server. The error returned was ERROR NUMBER. Verify this account has sufficient permissions and try again.” error message is displayed in the Windows Event Viewer and SharePoint Log.
To fix this issue, you have to make sure “Single Sign-On Administrator Account” account name to start the Microsoft Single Sign-On Service MUST meet all of the following:
- Must be a domain user account. It cannot be a group account.
- The user must be a member of Domain Admins and Domain Users
- Must be an Office SharePoint Server farm account
- Go to Central Administration > Operations, then click on the “Update farm administrator's group” link to add the user to farm administrator group.
- Must be a member of the local Administrators group on the encryption-key server
- The encryption-key server is the first server on which you start SSOSrv
- Must be a member of the Security Administrators role and Database Creators role on the computer running Microsoft SQL Server.
- Open SQL Management Studio, go to Security > Server Roles folder, add the user to securityadmin and dbcreator server roles
Also most important setting is to MAKE SURE, the same “Single Sign-On Administrator Account” account name is used at both “Manage Server Settings for Single Sign-On” page and “Service Accounts” page as shown below: