Some developers are getting this error whenever they try to use a sandboxed solution, or sometimes when they add a sandboxed Web Part to a page, even in circumstances in which the service could not be busy.  There seem to be multiple things that can cause this. The following are some solutions that have worked for others.  If you find a different solution, please report it as a comment to this post. Be sure to double-verify it: undo your solution and verify that the problem comes back, then redo it and verify that the problem goes away.

I. Be sure the sandboxed host service is running on the appropriate servers. The service is called Microsoft SharePoint Foundation Sandboxed Code Service in Central Admnistration. It is called SharePoint 2010 User Code Host in Windows Services. It can be started in either place. 

If you have configured the sandbox to run in local mode, then the service must be running on every front-end web server. If you have configured it to run in remote mode (sometimes called affinity mode), then it must be running on at least one server in the farm. To determine which mode is being used open Central Administration and navigate to System Settings | Manage User Solutions. Scroll down to the Load Balancing section where the mode is set.

II.  A second known cause is certain values in the local computer policy of the servers running the sandboxed host service. The following values should not be enabled.

Computer Configuration -> Administrative Templates -> System -> Remote Procedure Call -> RPC Endpoint Mapper Client Authentication

Computer Configuration -> Administrative Templates -> System -> Remote Procedure Call -> Restrictions for Unauthenticated RPC clients

III.  A third known cause is the presence of the following key in the registry of the servers that are running the sandboxed host service. (An additional symptom of this cause is that the service stops a few seconds after starting.)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC

It does not matter what the value of the key is, or even if the key has any value. If the key is present, the user account in which the sandboxed host process runs must be able to read it because the process tries to when it starts up. By default, the user account does not have permission to read it (because, by default, the key is not present). You must give the Users group of the computer permission to read the key.

Note: It is not sufficient to give such permission to the Authenticated Users group, because the sandboxed process removes the Authenticated User token from the the user account in which the sandboxed host process runs. This also makes that account a restricted account which means it is not sufficient to give permission to read the key to that account alone. Since the account is not considered authenticated, doing this would have no effect. However, the account does inherit the permissions of the computer’s User group.

Take the following steps on every server which has the key and which is running the sandboxed host service.

  1. Open the registry editor and navigate to the key.
  2. Right-click the key and select Permissions.
  3. On the dialog that opens, click Add.
  4. In the dialog that opens, enter the following in the Enter the object names to select box: computername\Users.
  5. Click Check Names.
  6. After the name has resolved, click OK.
  7. Restart the sandboxed host service on all servers on which it is to run. It cannot hurt to do an iisreset as well.

IV.  A fourth known cause is that SharePoint is trying to check for certificate revocations at crl.microsoft.com. The following are workarounds:

A. There is a registry key that is used by the sandboxed solution infrastructure and sometimes gets the wrong value. To ensure that it is set to the correct value, take these steps on all servers that are running the sandboxed host service :

  1. On the server, click Start | Administrative Tools | Services.
  2. On the Services dialog, scroll to SharePoint 2010 User Code Host.
  3. Note the full user name in the Log On As column. You will need this information later.
  4. Open SharePoint Management Shell.
  5. Enter the following at the command prompt, including all punctuation.

(Get-SPManagedAccount –Identity “username”).Sid.Value

Replace username with the name you obtained in step 3. E.g., CorpDomain\FarmAdmin

This will return the user’s SID (Security ID), which you will use in a later step.

    6.    Open the registry editor and navigate to:

HKEY_USERS\SID you obtained earlier\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\SoftwarePublishing

    7.     Be sure the State key value is set to 0x00023e00.

    8.    Restart the sandboxed host service on all servers on which it is to run. It cannot hurt to do an iisreset as well.

B.  You can redirect these attempts by adding the following line to the end of the hosts file located at C:\Windows\System32\drivers\etc:

127.0.0.1     crl.microsoft.com 

This must be done on all servers running the sandboxed host service. Then restart the SharePoint 2010 User Code Host service on all these servers. It cannot hurt to do an iisreset as well.

C.  The following workaround changes configuration files which ship with the product which means you may have to redo these steps if the files are ever overwritten by a service pack or other reinstallation.

  1. Navigate to %SHAREPOINTROOT%\UserCode
  2. Open each of the three *.exe.config files and add the following element as a child of the <runtime>element:

    <generatePublisherEvidence enabled=”false”/>

  3. Steps 1- 2 must be done on all servers running the sandboxed host service. Then restart the SharePoint 2010 User Code Host service on all servers. It cannot hurt to do an iisreset as well.

     See <generatePublisherElement> for more information.