Troubleshooting steps for HTTP 503 - Service Unavailable ... steps for...Troubleshooting steps for HTTP 503 - Service Unavailable ... General troubleshooting tips a. The configuration cache mechanism of IIS is unpredictable

  • Published on
    20-Apr-2018

  • View
    215

  • Download
    2

Embed Size (px)

Transcript

<ul><li><p> All rights reserved to Smart-X Software Solutions LTD. </p><p>Troubleshooting steps for "HTTP 503 - Service Unavailable" </p><p>error on web applications based on ASP.NET 2.0 </p><p>Operating System: Windows 2000 / 2003 </p><p>The following document walks you through some troubleshooting steps in order to </p><p>overcome HTTP 503 error when accessing an ASP.NET application over IIS. </p><p>The procedure should be executed using an administrator account. </p><p>1. General troubleshooting tips </p><p>a. The configuration cache mechanism of IIS is unpredictable. Unless you are </p><p>part of IIS development team, it is recommended to reset IIS after each </p><p>change you make. </p><p>Start Run iisreset </p><p>b. Each time you get the 'Service Unavailable' error, the application pool is </p><p>disabled by IIS. Therefore, you must re-enable it before you retry to access </p><p>the application. The detailed procedure is specified later in this document </p><p>(Step 4, section F) </p><p>2. Step 1 Verify that required components are installed </p></li><li><p> All rights reserved to Smart-X Software Solutions LTD. </p><p>iii. If the application's URL is </p><p>http://iissrv01:8080/SomeApp/default.aspx then you should look </p><p>for a web site with state 'Running' and port 8080. </p><p>d. Once you identified the Web Site, expand it on the left pane and look for the </p><p>application's name (as specified in the URL). For example: </p><p>i. If the application's URL is http://iissrv01/SomeApp/default.aspx </p><p>then the application's name is 'SomeApp' </p><p>e. Right click on the application's name on the left pane and select 'Properties' </p><p>f. Note the string in the 'Local Path' text box. It will be used later in this </p><p>documents and will be referred to as 'Virtual Directory Path' </p><p>http://iissrv01:8080/SomeApp/default.aspxhttp://iissrv01/SomeApp/default.aspx</p></li><li><p> All rights reserved to Smart-X Software Solutions LTD. </p><p>4. Step 3 Verify application's properties </p><p>a. Verify that the application is configured as Web Application and not as </p><p>normal Virtual Directory </p><p>i. Under the 'Application Settings' group on the bottom of the </p><p>window, look for the 'Remove' or 'Create' button. If the button's </p><p>name is Create, it means that application is not configured properly. </p><p>If the name is 'Remove', it means that the application is configured </p><p>as ASP.NET application. Example: </p><p>OK NOT OK </p><p>ii. If the application is not configured as ASP.NET application, click on </p><p>the 'Create' button to convert it to application. </p><p>iii. Note the Application Pool's name that is configured under </p><p>'Application Pool'. It will be used later in this document. </p><p>b. Verify the correct ASP.NET version </p><p>i. Switch to ASP.NET tab </p></li><li><p> All rights reserved to Smart-X Software Solutions LTD. </p><p>ii. Verify that the selected version under 'ASP.NET Version' drop down </p><p>list is '2.0.50727'. </p><p>c. Note which user is used to access the Virtual Directory. </p><p>i. Switch to 'Directory Security' tab </p><p>ii. Click on 'Edit' </p><p>iii. Check if 'Enable Anonymous access' is selected. If it is selected, note </p><p>the user name specified. This account will be used later in this </p><p>document and will be referred as 'Virtual Directory User ' </p><p>5. Step 4 - Verify Application Pool properties </p><p>a. On the left pane of IIS Manager, Expand Application </p><p>Pools </p><p>b. Right click on the relevant application pool (Identified in Step 3) and select </p><p>properties </p><p>c. Switch to 'Identify' tab and note whether the pool is configured to run under </p><p>'Predefined' or under 'Configurable'. </p><p>d. If the pool is configured to run as 'Configurable', make sure you are using </p><p>the correct credentials and re-enter them. </p><p>e. If the pool is configured to run as 'Predefined', note the account selected: </p><p>i. Network Service is actually the 'NETWORK SERVICE' account on the </p><p>local machine </p><p>ii. Local Service is actually the 'LOCAL SERVICE' account on the local </p><p>machine. </p></li><li><p> All rights reserved to Smart-X Software Solutions LTD. </p><p>iii. Local System is actually the 'SYSTEM' account on the local machine </p><p>f. If the application pool is stopped, click on the button to start it. Note </p><p>that even if the pool is not configured correctly, it will start at this point with </p><p>no error message. </p><p>g. The account used to run the application pool will be used later in this </p><p>document and referred as 'Application Pool User' </p><p>6. Step 5 Verify Permissions </p><p>a. Verify permissions for the Application Pool User (Identified in step 4). </p><p>The Application pool user should be member of the local IIS_WPG group: </p><p>i. launch Computer Management </p><p>Start Run Compmgmt.msc </p><p>ii. On the left pane, expand Computer Management Local users and </p><p>groups Groups </p><p>iii. On the right pane, double click 'IIS_WPG' </p><p>iv. Verify that the application pool user identified in step 4 exists in the </p><p>list. If it doesn't, add it to the group. </p><p>b. Verify permissions for the Virtual Directory User (Identified in step 3) </p><p>The Virtual Directory User should have NTFS permissions over Virtual </p><p>Directory Path (Identified in step 2) </p><p>i. Using Windows Explorer, browse to the Virtual Directory Path folder </p><p>ii. Right click on the folder and select 'Properties' </p><p>iii. Switch to 'Security' tab </p><p>iv. Verify that the Virtual Directory User has at least 'Read and Execute' </p><p>permissions over the folder. </p><p>7. Step 6 - Verify security privileges </p><p>a. Launch Local Group Policy MMC snap in </p><p>Start run gpedit.msc </p><p>b. On the left pane, expand the following path: </p><p>Local Computer Policy Computer Configuration Windows Settings </p><p>Security Settings Local Policies User Rights Assignment </p><p>c. On the right pane, locate the 'Log on as batch job' entry and double click it. </p><p>d. Verify that the group 'IIS_WPG' (or the actual account specified to run the </p><p>pool) exists in the list. If it isn't, add it using the 'Add user or group' button. </p><p>e. Repeat step C and D for the following policies: </p></li><li><p> All rights reserved to Smart-X Software Solutions LTD. </p><p>i. Access this computer from the network </p><p>ii. Bypass traverse checking </p><p>f. In some situations, the 'Add user or group' button will be grayed out. The </p><p>most common causes for this problem are: </p><p>i. The account you are using is not member of the local </p><p>'Administrators' group </p><p>ii. The security policy is applied from the domain. In this case you will </p><p>need the assistant of you system administrator in order to help you </p><p>add the relevant account in the relevant group policy object. The </p><p>relevant group policy object can be identified by launching: </p><p>Start Run rsop.msc </p><p>8. Additional troubleshooting steps </p><p>a. Check the event log for hints: </p><p>Start Run eventvwr </p><p>i. Before each time you test the application, clear the System and </p><p>Security Log </p><p>ii. When starting to troubleshoot, configure auditing for 'Privilege Use': </p><p>1. Open Local Group Policy </p><p>Start Run gpedit.msc </p><p>2. On the left pane, expand the following path: </p><p>Local Computer Policy Computer Configuration </p><p>Security Settings Local Policies Audit Policy </p><p>3. On the right pane, double click 'Audit privilege use' </p><p>4. Make sure 'Failure' is selected </p><p>iii. After each time you test if the application works, check the Security </p><p>Log for 'Failure Audit' events. </p><p>1. Failure Audits from category 'Logon/Logoff' (Event ID 534) </p><p>indicates that the configured account does not have the </p><p>'Logon as Batch Job' security right. Follow step 6. </p><p>2. Failure Audits from category 'Logon/Logoff' (event ID 529) </p><p>indicates that the credentials of the configured accounts (for </p><p>the application pool or the virtual directory) are incorrect. </p><p>Try to reconfigure it. </p></li><li><p> All rights reserved to Smart-X Software Solutions LTD. </p><p>3. Failure Audits from category 'Privilege Use' indicates that </p><p>the relevant account does not have sufficient privileges. In </p><p>order to fix this type of error, you will have to open the </p><p>event and look for the user account and the required </p><p>privilege. When this event occurs, you will need to identify </p><p>the right that is specified in the event and map it to the </p><p>friendly name that is specified in the Group Policy Object </p><p>Editor. Use Google in order to find the friendly name. </p><p>iv. Check the System event log for warning and error events from </p><p>source W3SVC. Those events will give you a good starting point </p><p>when looking for further assistant in the web. </p><p>b. Use Microsoft's (Sysinternals) ProcMon </p><p>i. Logon to console session of the server. </p><p>start run mstsc /console or mstsc /admin (depends on the </p><p>version) </p><p>ii. Verify that you are using the console session </p><p>Start Run taskmgr Users tab verify that your account's ID </p><p>is 0 (zero) </p><p>iii. Download procmon from the following URL: </p><p>http://live.sysinternals.com/procmon.exe </p><p>iv. Open procmon, perform the test while procmon is running and look </p><p>for ACCESS_DENIED entries. </p><p>9. Additional resources </p><p>a. http://blogs.iis.net/brian-murphy-booth/archive/2007/03/22/how-to-</p><p>troubleshoot-an-iis-event-id-1009-error.aspx </p><p>b. http://www.15seconds.com/Issue/020123.htm </p><p>c. http://msdn.microsoft.com/en-us/library/ms178643.aspx </p><p>d. http://support.microsoft.com/kb/815166 </p>http://live.sysinternals.com/procmon.exehttp://blogs.iis.net/brian-murphy-booth/archive/2007/03/22/how-to-troubleshoot-an-iis-event-id-1009-error.aspxhttp://blogs.iis.net/brian-murphy-booth/archive/2007/03/22/how-to-troubleshoot-an-iis-event-id-1009-error.aspxhttp://www.15seconds.com/Issue/020123.htmhttp://msdn.microsoft.com/en-us/library/ms178643.aspxhttp://support.microsoft.com/kb/815166</li></ul>