troubleshooting steps for http 503 - service unavailable ... steps for... · troubleshooting steps...
Post on 20-Apr-2018
219 Views
Preview:
TRANSCRIPT
© All rights reserved to Smart-X Software Solutions LTD.
Troubleshooting steps for "HTTP 503 - Service Unavailable"
error on web applications based on ASP.NET 2.0
Operating System: Windows 2000 / 2003
The following document walks you through some troubleshooting steps in order to
overcome HTTP 503 error when accessing an ASP.NET application over IIS.
The procedure should be executed using an administrator account.
1. General troubleshooting tips
a. The configuration cache mechanism of IIS is unpredictable. Unless you are
part of IIS development team, it is recommended to reset IIS after each
change you make.
Start Run iisreset
b. Each time you get the 'Service Unavailable' error, the application pool is
disabled by IIS. Therefore, you must re-enable it before you retry to access
the application. The detailed procedure is specified later in this document
(Step 4, section F)
2. Step 1 – Verify that required components are installed <LINK TO 'Installation
CheckList…>
3. Step 2 – Identify the problematic application
a. Launch IIS Manager
Start Run inetmgr
b. On the left pane, Expand <local computer> Web Sites
c. Look for the appropriate web site according to the 'State' and the 'Port'
column as it appears in the table on the right pane.
Some examples:
i. If the application's URL is http://iissrv01/SomeApp/default.aspx
then you should look for a web site with state 'Running' and port 80.
ii. If the application's URL is https://iissrv01/SomeApp/default.aspx
then you should look for a web site with state 'Running' and port
443.
© All rights reserved to Smart-X Software Solutions LTD.
iii. If the application's URL is
http://iissrv01:8080/SomeApp/default.aspx then you should look
for a web site with state 'Running' and port 8080.
d. Once you identified the Web Site, expand it on the left pane and look for the
application's name (as specified in the URL). For example:
i. If the application's URL is http://iissrv01/SomeApp/default.aspx
then the application's name is 'SomeApp'
e. Right click on the application's name on the left pane and select 'Properties'
f. Note the string in the 'Local Path' text box. It will be used later in this
documents and will be referred to as 'Virtual Directory Path'
© All rights reserved to Smart-X Software Solutions LTD.
4. Step 3 – Verify application's properties
a. Verify that the application is configured as Web Application and not as
normal Virtual Directory
i. Under the 'Application Settings' group on the bottom of the
window, look for the 'Remove' or 'Create' button. If the button's
name is Create, it means that application is not configured properly.
If the name is 'Remove', it means that the application is configured
as ASP.NET application. Example:
OK NOT OK
ii. If the application is not configured as ASP.NET application, click on
the 'Create' button to convert it to application.
iii. Note the Application Pool's name that is configured under
'Application Pool'. It will be used later in this document.
b. Verify the correct ASP.NET version
i. Switch to ASP.NET tab
© All rights reserved to Smart-X Software Solutions LTD.
ii. Verify that the selected version under 'ASP.NET Version' drop down
list is '2.0.50727'.
c. Note which user is used to access the Virtual Directory.
i. Switch to 'Directory Security' tab
ii. Click on 'Edit'
iii. Check if 'Enable Anonymous access' is selected. If it is selected, note
the user name specified. This account will be used later in this
document and will be referred as 'Virtual Directory User '
5. Step 4 - Verify Application Pool properties
a. On the left pane of IIS Manager, Expand <local computer> Application
Pools
b. Right click on the relevant application pool (Identified in Step 3) and select
properties
c. Switch to 'Identify' tab and note whether the pool is configured to run under
'Predefined' or under 'Configurable'.
d. If the pool is configured to run as 'Configurable', make sure you are using
the correct credentials and re-enter them.
e. If the pool is configured to run as 'Predefined', note the account selected:
i. Network Service is actually the 'NETWORK SERVICE' account on the
local machine
ii. Local Service is actually the 'LOCAL SERVICE' account on the local
machine.
© All rights reserved to Smart-X Software Solutions LTD.
iii. Local System is actually the 'SYSTEM' account on the local machine
f. If the application pool is stopped, click on the button to start it. Note
that even if the pool is not configured correctly, it will start at this point with
no error message.
g. The account used to run the application pool will be used later in this
document and referred as 'Application Pool User'
6. Step 5 – Verify Permissions
a. Verify permissions for the Application Pool User (Identified in step 4).
The Application pool user should be member of the local IIS_WPG group:
i. launch Computer Management
Start Run Compmgmt.msc
ii. On the left pane, expand Computer Management Local users and
groups Groups
iii. On the right pane, double click 'IIS_WPG'
iv. Verify that the application pool user identified in step 4 exists in the
list. If it doesn't, add it to the group.
b. Verify permissions for the Virtual Directory User (Identified in step 3)
The Virtual Directory User should have NTFS permissions over Virtual
Directory Path (Identified in step 2)
i. Using Windows Explorer, browse to the Virtual Directory Path folder
ii. Right click on the folder and select 'Properties'
iii. Switch to 'Security' tab
iv. Verify that the Virtual Directory User has at least 'Read and Execute'
permissions over the folder.
7. Step 6 - Verify security privileges
a. Launch Local Group Policy MMC snap in
Start run gpedit.msc
b. On the left pane, expand the following path:
Local Computer Policy Computer Configuration Windows Settings
Security Settings Local Policies User Rights Assignment
c. On the right pane, locate the 'Log on as batch job' entry and double click it.
d. Verify that the group 'IIS_WPG' (or the actual account specified to run the
pool) exists in the list. If it isn't, add it using the 'Add user or group' button.
e. Repeat step C and D for the following policies:
© All rights reserved to Smart-X Software Solutions LTD.
i. Access this computer from the network
ii. Bypass traverse checking
f. In some situations, the 'Add user or group' button will be grayed out. The
most common causes for this problem are:
i. The account you are using is not member of the local
'Administrators' group
ii. The security policy is applied from the domain. In this case you will
need the assistant of you system administrator in order to help you
add the relevant account in the relevant group policy object. The
relevant group policy object can be identified by launching:
Start Run rsop.msc
8. Additional troubleshooting steps
a. Check the event log for hints:
Start Run eventvwr
i. Before each time you test the application, clear the System and
Security Log
ii. When starting to troubleshoot, configure auditing for 'Privilege Use':
1. Open Local Group Policy
Start Run gpedit.msc
2. On the left pane, expand the following path:
Local Computer Policy Computer Configuration
Security Settings Local Policies Audit Policy
3. On the right pane, double click 'Audit privilege use'
4. Make sure 'Failure' is selected
iii. After each time you test if the application works, check the Security
Log for 'Failure Audit' events.
1. Failure Audits from category 'Logon/Logoff' (Event ID 534)
indicates that the configured account does not have the
'Logon as Batch Job' security right. Follow step 6.
2. Failure Audits from category 'Logon/Logoff' (event ID 529)
indicates that the credentials of the configured accounts (for
the application pool or the virtual directory) are incorrect.
Try to reconfigure it.
© All rights reserved to Smart-X Software Solutions LTD.
3. Failure Audits from category 'Privilege Use' indicates that
the relevant account does not have sufficient privileges. In
order to fix this type of error, you will have to open the
event and look for the user account and the required
privilege. When this event occurs, you will need to identify
the right that is specified in the event and map it to the
friendly name that is specified in the Group Policy Object
Editor. Use Google in order to find the friendly name.
iv. Check the System event log for warning and error events from
source W3SVC. Those events will give you a good starting point
when looking for further assistant in the web.
b. Use Microsoft's (Sysinternals) ProcMon
i. Logon to console session of the server.
start run mstsc /console or mstsc /admin (depends on the
version)
ii. Verify that you are using the console session
Start Run taskmgr Users tab verify that your account's ID
is 0 (zero)
iii. Download procmon from the following URL:
http://live.sysinternals.com/procmon.exe
iv. Open procmon, perform the test while procmon is running and look
for ACCESS_DENIED entries.
9. Additional resources
a. http://blogs.iis.net/brian-murphy-booth/archive/2007/03/22/how-to-
troubleshoot-an-iis-event-id-1009-error.aspx
b. http://www.15seconds.com/Issue/020123.htm
c. http://msdn.microsoft.com/en-us/library/ms178643.aspx
d. http://support.microsoft.com/kb/815166
top related