There was a question posted in the MPS Forum (http://forums.asp.net/thread/1235615.aspx) of the asp.net forum that I thought I'd answer here.
Issue:
our provisioning sample site works fine with an administrator account. when a try to create a customer organisation with reseller rights i receive the following error message :
Error: Failed to get the registry value specified. Machine:'.', Rootkey:'HKEY_LOCAL_MACHINE', Subkey:'SOFTWARE\Microsoft\Provisioning\CustomerPlansDb', Item:'Customer Database'./Access is denied./GetRegValue
Is there anyone that solved this problem ? Maybe there a problems with the ACE Rights.
Response:
During a provisioning request that requires some reading/writing to the Plans Database (HECustomerDB), the provisioning system needs to get the connection string information in order to make that call. This information is stored in the registry and thus the call to the "GetPlanDBConnString_" procedure. The person submitting the request normally doesn't have rights to read that registry key for good reason (e.g. a non Domain Admin person). So in order for MPS to be able to get that information from the registry, it needs to be elevated to a credential that does. A feature of MPF is to have "Stored Credentials" (SC). These SC's are predefined in the Provisioning Manager MMC. The MPSPrivAcct-xxxx has a fair amount of rights and one of those rights is the ability to read from the local registry (this is a step in the HMC Deployment Walkthrough). So by setting "GetPlanDBConnString_" procedure "Execute As" property to use the "MPSPrivAcct-xxxx" account, anyone other procedure that calls this method will be able to complete this tasks because it will run with an account with the proper amount of rights to perform that task. Also, these procedures are marked as "Private", so you can't just call it directly to work around the system.
There is a whitepaper that I wrote that does provide more details on this and other security settings and MPS Configurations:
http://go-planet.com/community/files/folders/207/download.aspx
Hope this helps someone!