Last post on this. Here is my problem - unfortunately none of the fixes work. Like I said though, I have removed 2003 and installed 2000 - although I just discovered problems with it as well. So I did what I should have done in the first place - moved everything to my Linux box where all is good.
Each application pool has an identity (account) under which it runs. By default, this identity is NT AUTHORITY\NETWORK SERVICE. This account is builtin, and entirely controlled by the system. It has all the necessary rights to logon as a service, and the password is internally dealt with. The big problem with this Network Service identity is that it's pretty much useless for accessing remote resources. So, there are more or less two solutions to such an issue - impersonate a user in your application, or make the whole application run under a default account.
Let's say that Administrator Al sets up a new application pool to run under the account he just created called AlsWebpageServiceAccount. With this all complete, Al browses over to
Low and behold, Al's Webpage doesn't show up, but instead, a nice error “Service Unavailable”. Let's take a look at what Al can do to correct this.
Step one, as always, is to go and take a look at what's going on in the event viewer (start>run>eventvwr.msc). There are a couple entries that will be of interest to Al. Stop Errors and Warnings in the System Log from W3Svc, and Failure Audits (you should have logon failure auditing enabled) in the System log. Here's a sample of what I produced in my event logs:
This is the generic IIS Error that says something is screwed up with your app pool settings (probably its identity)
Event Type: Error
Event Source: W3SVC
Event Category: None
Event ID: 1059
Date: 9/20/2003
Time: 11:48:27 AM
User: N/A
Computer: BERYLLIUM
Description:
A failure was encountered while launching the process serving application pool 'BlogPostTest'. The application pool has been disabled.
For more information, see Help and Support Center at
Here's the tip off that it's an identity issue:
Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 1057
Date: 9/20/2003
Time: 11:48:27 AM
User: N/A
Computer: BERYLLIUM
Description:
The identity of application pool 'BlogPostTest' is invalid, so the World Wide Web Publishing Service can not create a worker process to serve the application pool. Therefore, the application pool has been disabled.
For more information, see Help and Support Center at
Finally, the failure audit in the security log
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 534
Date: 9/20/2003
Time: 11:48:08 AM
User: NT AUTHORITY\SYSTEM
Computer: BERYLLIUM
Description:
Logon Failure:
Reason: The user has not been granted the requested
logon type at this machine
User Name: AlsWebpageServiceAccount
Domain: GREENVIEW
Logon Type: 4
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: BERYLLIUM
Caller User Name: BERYLLIUM$
Caller Domain: GREENVIEW
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 640
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at
The security fail audit is really the most useful one here. Take a look at the reason “The user has not been granted the requested logon type at this machine“. The LogonType says that the user is trying to logon as a service. So, combine the reason and the logon type code, and Al now knows that his Website Service Account doesn't have rights to logon as a service. This, is certainly fixable. Here's how:
Open the server's local security policy (start>run>secpol.msc), expand local polices and browse to User Rights assignment. Once in User Rights Assignment, open up the “Log on as Service“ right. Any account or group in this list will be able to logon as a service. So, click Add User or Group, and then type in/browse for the app pool's new service account. Once the right is granted, Al will need to reboot his server. Security settings are applied during the startup phase of any NT/2000/XP/2003 machine.
After all this, Al's new website should and mostly likely will work. If there are still issues with Service Unavailable, the next step is to read deeper intot he warning messages from W3Svc - they more than likely contain the problem.
I hope this info is useful, feel free to leave comments/send mail regarding future break/fix posts.
