Although I have several computers at home, most of my server roles are running on a single PC. That means Active Directory (AD) domain controller (DC), DNS, DHCP, RIS, WSUS, and print services are all on one box (file services are on my NSLU2) so I figured that adding Virtual Server 2005 R2 to the mix shouldn’t be too big a problem. It’s certainly not good practice, but it works.
Another bad practice is to run internet information services (IIS) on a DC, but I already have IIS installed for WSUS, so adding the Virtual Server administration website should have been reasonably straightforward. Following installation, existing websites on the server were working as expected but any attempt to access the Virtual Server 2005 administration website resulted in an HTTP Error 403 – Forbidden: Access is denied. message, despite entering the domain administrator credentials when prompted (and already being logged on as the domain administrator).
From checking the event log, I found that Virtual Server was logging the following event on startup:
Event Type: Warning
Event Source: Virtual Server
Event Category: Virtual Server
Event ID: 1130
Date: 01/05/2006
Time: 15:28:23
User: NT AUTHORITY\NETWORK SERVICE
Computer: SERVER1
Description:
The service principal names for Virtual Server could not be registered. Constrained delegation cannot be used until the SPNs have been registered manually. Error 0x80072098 – Insufficient access rights to perform the operation.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I tried the steps in Microsoft knowledge base article 890893 but adding the appropriate SPNs to AD didn’t seem to make any difference.
A bit of Googling turned up a blog entry from David Wang which although not completely relevant, contained a reference to a similar problem in the comments. Sure enough, when I checked the IIS logs, the error code was 403 19, as shown below:
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2006-05-01 21:29:39 W3SVC2 ipaddress GET /VirtualServer/VSWebApp.exe view=1 1024 domainname\Administrator ipaddress Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322) 403 19 1314
I tried David’s advice of switching the IIS DefaultAppPool identity to LocalSystem and that worked (LocalSystem is a very highly-privileged account), but (despite my lackadaisical approach to co-hosting services and the probably security implications) I didn’t really feel that it was an ideal solution and I switched back to Network Service. I then set about trying to work out why the Network Service account (NT AUTHORITY\NETWORK SERVICE) didn’t have the appropriate permissions. Microsoft knowledge base article 332097 looked as if it might be relevant (Microsoft knowledge base article 842493 is similar) but didn’t seem to solve the problem (in any case the IIS_WPG group already had the correct permissions) so I fired up the Local Security Settings MMC snap-in and checked out the user rights assignment in the local security policy.
Because my IIS server is also a DC, many of the user rights normally associated with the Network Service account had been removed (and were overridden by the Default Domain Controllers Policy). NT AUTHORITY\NETWORK SERVICE was also missing from the IIS worker process group (IIS_WPG) membership (and could not be added as it is a local account) so I edited the local security policy and the Default Domain Controllers Policy (another bad practice – I should really have created a new policy for DCs running IIS) as follows:
- Replace a process-level token (Default Domain Controllers Policy).
- Adjust memory quotas for a process (Default Domain Controllers Policy).
- Generate security audits (Default Domain Controllers Policy).
- Log on as a batch job (Default Domain Controllers Policy).
- Impersonate a client after authentication (local security policy).
The following user rights were already in existence:
- Bypass traverse checking (inherited from Everyone).
- Access this computer from the network (inherited from Everyone).
- Log on as a service (Default Domain Controllers Policy).
After forcing a group policy refresh (using gpupdate /force) and issuing the iisreset command, I was able to access the Virtual Server administration website as expected; although the event 1130 warnings are still being recorded in the event log, along with event 1129 since I enabled the virtual machine remote control (VMRC) server:
Event Type: Warning
Event Source: Virtual Server
Event Category: Remote Control
Event ID: 1029
Date: 04/05/2006
Time: 21:19:18
User: NT AUTHORITY\NETWORK SERVICE
Computer: SERVER1
Description:
The service principal name for the VMRC server could not be registered. Automatic authentication will always use NTLM authentication. Error 0x80072098 – Insufficient access rights to perform the operation.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I stress that running multiple services on a single PC (even with proper server hardware) is not a good idea; nor is running IIS on a DC; and neither is editing either the Default Domain Policy or the Default Domain Controllers Policy. If you need to do it though, hopefully these notes will help to work out why processes that rely on the Network Service account are not working as they should.
I had the same problem accessing the admin website. After googling a while, a found this blog.
I could solve the problem after reading the comments.
The installation by default creates an application pool for the virtual server, but the website is associated to the default application pool. So, don’t change the user of the default, but change the application pool of the website.
Hope you find this comment useful.
Hi Anonymous,
Thanks for your comment – certainly a useful one – but on my machine the Virtual Server Application Pool appears as a child of DefaultAppPool and is not available for selection in the home directory properties for the Virtual Server website. Maybe that’s another anomaly caused by my virtual server host also being a domain controller?
Mark
use adsiedit.msc to set security on the DC in question. go to properties of the Domain Controller, go to the Security Tab, click Advanced, add NETWORK SERVICE and specify on the Property tab that this if for “This Object Only” and grant Read servicePrincipalName and Write servicePrincipalName.
Reset the Virtual Server service and do an iisreset (optional).
Very usefull!
The instructions were great and they worked like a charm.
Many thanks.
Hi,
Sekou thanks for the great tip. I found that this very usefull, but then found I got a “An error has occured during the creation of Service Connection points for Virtual Server in Active Directory” warning in the Virtual Server logfiles.
I solved this by adding the specific rights create serviceConnectionPoint and delete serviceConnectionPoint to the security using the same principles as detailed by Sekou.
Les
PS: The comment from David Wang in the comments to the blog entry linked to above regarding being unable to access the “Virtual Server Administration Website” due to security restrictions when using a RDP connection to the server are also very helpful.
AMAZING BLOG POST & COMMENTS!
I can’t believe I came across this post. Thanks so much for sharing the wealth of info here!
thank you for sharing! really useful information!
Thanks for the note, I was having this exact problem and after adding the permissions you mentioned, it’s fixed. Thanks again!
I had the exact same issue even after entering the SPNs and creating the new policies. I still haven’t “resolved” the issue, but did fix it by keeping the host machine as a domain member server and letting it host the virtual domain controller. Others have mentioned that this would cause log-on problems in that they doubted that virtual server runs when not logged on to the host. This is as far from reality as possible. Any guest system can be set to start when the host powers up and cen even be set to a delayed startup to avoid any problems with resources not being available. So I have set this option and now my host computer sits idle hosting 3 virtual machines and I no longer have the error message in event viewer. Not an ideal solution, but one that works.