MOSS MVP

I've moved my blog to http://blog.falchionconsulting.com!. Please update your links. This blog is no longer in use--you can find all posts and comments at my new blog; I will no longer be posting to this site and comments have been disabled.

Wednesday, September 10, 2008

Windows Server 2008 Default Impersonation Level Must Be Identify

If you're configuring a Windows Server 2008 environment with SharePoint 2007 and are planning on using Kerberos make sure that you do NOT set the default impersonation level for the server to delegate as recommended in this support article: http://support.microsoft.com/kb/953130 (note that Microsoft is working on updating this support article to reflect the differences with Windows Server 2008).  If you do make this change then you will run into all kinds of issues with timer job related activities such as creating web applications and applying hotfixes or service packs. 

The following is an example of what you'll find in your log files if you attempt install a hotfix or service pack:

SPHierarchyManager] [DEBUG] [8/5/2008 1:00:48 PM]: ------------------- Begin Growing Tree -------------------
[SPManager] [DEBUG] [8/5/2008 1:00:48 PM]: Using cached [SPWebApplication Name=SharePoint Teams (80) Parent=SPWebService] CanUpgrade value: True.
[SPManager] [DEBUG] [8/5/2008 1:00:48 PM]: Using cached [SPWebApplication Name=SharePoint Teams (80) Parent=SPWebService] NeedsUpgrade value: False.
[SPManager] [ERROR] [8/5/2008 1:00:48 PM]: Upgrade [SPWebApplication Name=SharePoint Teams (80) Parent=SPWebService] failed.
[SPManager] [ERROR] [8/5/2008 1:00:48 PM]: Access is denied.
[SPManager] [ERROR] [8/5/2008 1:00:48 PM]:    at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_IsContainer()
   at System.DirectoryServices.DirectoryEntries.ChildEnumerator..ctor(DirectoryEntry container)
   at System.DirectoryServices.DirectoryEntries.GetEnumerator()
   at Microsoft.SharePoint.Administration.SPIisWebSite.LookupByServerComment(String serverComment, Int32& instanceId)
   at Microsoft.SharePoint.Administration.SPWebApplication.GetLocalIisWebSites()
   at Microsoft.SharePoint.Upgrade.SPWebApplicationSequence.AddNextLevelObjects()
   at Microsoft.SharePoint.Upgrade.SPHierarchyManager.Grow(SPTree`1 root, Boolean bRecursing)
   at Microsoft.SharePoint.Upgrade.SPHierarchyManager.Grow(SPTree`1 root)
   at Microsoft.SharePoint.Upgrade.SPManager.Upgrade(Object o, Boolean bRecurse)

 

The following is an example of some of the errors you may find in your event logs as the result of various timer job failures:

Log Name:      Application
Source:        Windows SharePoint Services 3
Date:          7/21/2008 5:34:52 PM
Event ID:      6398
Task Category: Timer
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Test-SPWFE1
Description:
The Execute method of job definition Microsoft.Office.Server.Administration.ApplicationServerAdministrationServiceJob (ID 7d6130ec-41cf-4c9c-9fe2-1d1d43c276e0) threw an exception. More information is included below.

Access is denied.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Windows SharePoint Services 3" />
    <EventID Qualifiers="0">6398</EventID>
    <Level>2</Level>
    <Task>964</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2008-07-21T23:34:52.000Z" />
    <EventRecordID>3106</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Test-SPWFE1</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Microsoft.Office.Server.Administration.ApplicationServerAdministrationServiceJob</Data>
    <Data>7d6130ec-41cf-4c9c-9fe2-1d1d43c276e0</Data>
    <Data>Access is denied.
</Data>
  </EventData>
</Event>

-------------------------------

Log Name:      Application
Source:        Office SharePoint Server
Date:          7/21/2008 5:34:52 PM
Event ID:      7076
Task Category: Office Server Shared Services
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Test-SPWFE1
Description:
An exception occurred while executing the Application Server Administration job.

Message: Access is denied.

Techinal Support Details:
System.Runtime.InteropServices.COMException (0x80070005): Access is denied.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_IsContainer()
   at System.DirectoryServices.DirectoryEntries.CheckIsContainer()
   at System.DirectoryServices.DirectoryEntries.Find(String name, String schemaClassName)
   at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.Find(String name)
   at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.get_Item(String name)
   at Microsoft.SharePoint.Administration.SPProvisioningAssistant.ProvisionIisApplicationPool(String name, ApplicationPoolIdentityType identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime)
   at Microsoft.SharePoint.Administration.SPMetabaseManager.ProvisionIisApplicationPool(String name, Int32 identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime)
   at Microsoft.Office.Server.Administration.SharedWebServiceInstance.CreateSharedWebServiceApplicationPool(SharedResourceProvider srp)
   at Microsoft.Office.Server.Administration.ApplicationServerJob.ProvisionLocalSharedServiceInstances(Boolean isAdministrationServiceJob)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Office SharePoint Server" />
    <EventID Qualifiers="0">7076</EventID>
    <Level>2</Level>
    <Task>1328</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2008-07-21T23:34:52.000Z" />
    <EventRecordID>3105</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Test-SPWFE1</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Access is denied.
</Data>
    <Data>System.Runtime.InteropServices.COMException (0x80070005): Access is denied.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_IsContainer()
   at System.DirectoryServices.DirectoryEntries.CheckIsContainer()
   at System.DirectoryServices.DirectoryEntries.Find(String name, String schemaClassName)
   at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.Find(String name)
   at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.get_Item(String name)
   at Microsoft.SharePoint.Administration.SPProvisioningAssistant.ProvisionIisApplicationPool(String name, ApplicationPoolIdentityType identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime)
   at Microsoft.SharePoint.Administration.SPMetabaseManager.ProvisionIisApplicationPool(String name, Int32 identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime)
   at Microsoft.Office.Server.Administration.SharedWebServiceInstance.CreateSharedWebServiceApplicationPool(SharedResourceProvider srp)
   at Microsoft.Office.Server.Administration.ApplicationServerJob.ProvisionLocalSharedServiceInstances(Boolean isAdministrationServiceJob)</Data>
  </EventData>
</Event>

----------------------------------

Log Name:      Application
Source:        Office SharePoint Server
Date:          7/21/2008 5:34:51 PM
Event ID:      6482
Task Category: Office Server Shared Services
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Test-SPWFE1

Description:
Application Server Administration job failed for service instance Microsoft.Office.Server.Search.Administration.SearchAdminSharedWebServiceInstance (c8e14f74-dd92-4c7e-8ab0-f696e65886e5).

Reason: Access is denied.

Techinal Support Details:
System.Runtime.InteropServices.COMException (0x80070005): Access is denied.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_IsContainer()
   at System.DirectoryServices.DirectoryEntries.CheckIsContainer()
   at System.DirectoryServices.DirectoryEntries.Find(String name, String schemaClassName)
   at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.Find(String name)
   at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.get_Item(String name)
   at Microsoft.SharePoint.Administration.SPProvisioningAssistant.ProvisionIisApplicationPool(String name, ApplicationPoolIdentityType identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime)
   at Microsoft.SharePoint.Administration.SPMetabaseManager.ProvisionIisApplicationPool(String name, Int32 identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime)
   at Microsoft.Office.Server.Administration.SharedWebServiceInstance.Synchronize()
   at Microsoft.Office.Server.Administration.ApplicationServerJob.ProvisionLocalSharedServiceInstances(Boolean isAdministrationServiceJob)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Office SharePoint Server" />
    <EventID Qualifiers="0">6482</EventID>
    <Level>2</Level>
    <Task>1328</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2008-07-21T23:34:51.000Z" />
    <EventRecordID>3104</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Test-SPWFE1</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Microsoft.Office.Server.Search.Administration.SearchAdminSharedWebServiceInstance</Data>
    <Data>c8e14f74-dd92-4c7e-8ab0-f696e65886e5</Data>
    <Data>Access is denied.
</Data>
    <Data>System.Runtime.InteropServices.COMException (0x80070005): Access is denied.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_IsContainer()
   at System.DirectoryServices.DirectoryEntries.CheckIsContainer()
   at System.DirectoryServices.DirectoryEntries.Find(String name, String schemaClassName)
   at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.Find(String name)
   at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.get_Item(String name)
   at Microsoft.SharePoint.Administration.SPProvisioningAssistant.ProvisionIisApplicationPool(String name, ApplicationPoolIdentityType identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime)
   at Microsoft.SharePoint.Administration.SPMetabaseManager.ProvisionIisApplicationPool(String name, Int32 identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime)
   at Microsoft.Office.Server.Administration.SharedWebServiceInstance.Synchronize()
   at Microsoft.Office.Server.Administration.ApplicationServerJob.ProvisionLocalSharedServiceInstances(Boolean isAdministrationServiceJob)</Data>
  </EventData>
</Event>

6 comments:

Pedro said...

Hello

To late, i've seen your post after the configuration and i get exactly these errors. What can I do to remove them? Is there a way back.

Thx

Gary Lapointe said...

Just change the default impersonation level back to identify and all will start working again (at least it did for me).

netDJ said...

Your post helped me big time buddy.

Thanks!

mouse said...

We had this very problem today. Unfortunately, Kerberos doesn't seem to work without it. Any ideas on getting around this problem and keeping Kerberos?

Gary Lapointe said...

Something else is wrong if you need this to get Kerberos working. I'd start from the beginning and make sure that you have all the basics covered (correct SPNs, delegation, DCOM settings, etc.).

K&M Reports said...

Same boat with Kerberos SPN's are correct. hmm Kerberos and MOSS are not fun.