Monday, July 17, 2006

Don't Forget Those Domain Accounts

I got a call today stating that one of the reporting servers at my client's location was down (SQL Server 2000 Reporting Services). We haven't touched anything on that machine for a few days, so I was pretty sure that it wasn't anything with the server itself.

When I finally arrived onsite, I opened a web browser to the URL: http://server/reports

The response was simply a generic "Server Application Unavailable" message. Ok, time to troubleshoot.

I first looked at the Application Event Log. There was a message logged, but didn't tell me anything special:

aspnet_wp.exe could not be started. The error code for the failure is 80004005. This error can be caused when the worker process account has insufficient rights to read the .NET Framework files. Please ensure that the .NET Framework is correctly installed and that the ACLs on the installation directory allow access to the configured account.


Ok, so it did tell me that the problem likely involved the worker account. Now, normally, the ASP.NET worker account is the ASPNET user on Windows XP and the NETWORK SERVICE account on Windows 2003. However, just to make sure, I took a peek at the Machine.config file, and discovered that in this case, my client changed the ASP.NET worker account to a domain account instead. It was a good thing that I double checked: there's nothing worse than spinning your wheels trying to fix a problem using the wrong user ID.

Out of curiosity, I also took a peek at the Security Event Log since the client has auditing enabled on all of their servers. I found some failures logged:


Logon Failure:
Reason: Account currently disabled
User Name: someuser
Domain: somedomain
Logon Type: 8
Logon Process: Advapi


Wouldn't you know it: the same domain account that was specified as the ASP.NET worker account (SOMEDOMAIN\SomeUser in this case) was disabled, per this Login Failure event message. Well, that would explain why the ASP.NET process could not start!

In this enterprise, domain accounts are set to automatically disable after a set time period. This is done in order to help prevent an unused account from remaining active, and potentially becoming a security exploit. There is normally a process to renew an account before it becomes inactive, but sometimes, one will slip through the process, as happened this time.