Operating System: Windows 2000 / 2003
The following document walks you through some troubleshooting steps in order to overcome HTTP 503 error when accessing an ASP.NET application over IIS.
The procedure should be executed using an administrator account.
1. General troubleshooting tips
a. The configuration cache mechanism of IIS is unpredictable. Unless you are part of IIS development team, it is recommended to reset IIS after each change you make.
Start --> Run --> iisreset
b. Each time you get the 'Service Unavailable' error, the application pool is disabled by IIS. Therefore, you must re-enable it before you retry to access the application. The detailed procedure is specified later in this document (Step 4, section F)
2. Step 1 – Verify that the required components are installed <Installation Checklist...>
3. Step 2 – Identify the problematic application
a. Launch IIS Manager
Start --> Run --> inetmgr
b. On the left pane, Expand --> Web Sites
c. Look for the appropriate web site according to the 'State' and the 'Port' column as it appears in the table on the right pane.
Some examples:
i. If the application's URL is http://iissrv01/SomeApp/default.aspx then you should look for a web site with state 'Running' and port 80.
ii. If the application's URL is https://iissrv01/SomeApp/default.aspx then you should look for a web site with state 'Running' and port 443.
iii. If the application's URL is http://iissrv01:8080/SomeApp/default.aspx then you should look for a web site with state 'Running' and port 8080.
d. Once you identified the Web Site, expand it on the left pane and look for the application's name (as specified in the URL). For example:
i. If the application's URL is http://iissrv01/SomeApp/default.aspx then the application's name is 'SomeApp'
e. Right click on the application's name on the left pane and select 'Properties'
.gif)
f. Note the string in the 'Local Path' text box. It will be used later in this documents and will be referred to as 'Virtual Directory Path'
4. Step 3 – Verify application's properties
a. Verify that the application is configured as Web Application and not as normal Virtual Directory
i. Under the 'Application Settings' group on the bottom of the window, look for the 'Remove' or 'Create' button. If the button's name is Create, it means that application is not configured properly. If the name is 'Remove', it means that the application is configured as ASP.NET application. Example:
OK
NOT OK
ii. If the application is not configured as ASP.NET application, click on the 'Create' button to convert it to application.
iii. Note the Application Pool's name that is configured under 'Application Pool'. It will be used later in this document.
b. Verify the correct ASP.NET version
i. Switch to ASP.NET tab
ii. Verify that the selected version under 'ASP.NET Version' drop down list is '2.0.50727'.
.gif)
c. Note which user is used to access the Virtual Directory.
i. Switch to 'Directory Security' tab
ii. Click on 'Edit'
iii. Check if 'Enable Anonymous access' is selected. If it is selected, note the user name specified. This account will be used later in this document and will be referred as 'Virtual Directory User '
5. Step 4 - Verify Application Pool properties
a. On the left pane of IIS Manager, Expand --> application Pools
b. Right click on the relevant application pool (Identified in Step 3) and select properties
c. Switch to 'Identify' tab and note whether the pool is configured to run under 'Predefined' or under 'Configurable'.
d. If the pool is configured to run as 'Configurable', make sure you are using the correct credentials and re-enter them.
e. If the pool is configured to run as 'Predefined', note the account selected:
i. Network Service is actually the 'NETWORK SERVICE' account on the local machine
ii. Local Service is actually the 'LOCAL SERVICE' account on the local machine.
iii. Local System is actually the 'SYSTEM' account on the local machine
f. If the application pool is stopped, click on the button to start it. Note that even if the pool is not configured correctly, it will start at this point with no error message.
g. The account used to run the application pool will be used later in this document and referred as 'Application Pool User'
6. Step 5 – Verify Permissions
a. Verify permissions for the Application Pool User (Identified in step 4).
The Application pool user should be member of the local IIS_WPG group:
i. launch Computer Management
Start --> Run --> Compmgmt.msc
ii. On the left pane, expand Computer Management --> Local users
and groups --> Groups
iii. On the right pane, double click 'IIS_WPG'
iv. Verify that the application pool user identified in step 4 exists in the list. If it doesn't, add it to the group.
b. Verify permissions for the Virtual Directory User (Identified in step 3)
The Virtual Directory User should have NTFS permissions over Virtual Directory Path (Identified in step 2)
i. Using Windows Explorer, browse to the Virtual Directory Path folder
ii. Right click on the folder and select 'Properties'
iii. Switch to 'Security' tab
iv. Verify that the Virtual Directory User has at least 'Read and Execute' permissions over the folder.
7. Step 6 - Verify security privileges
a. Launch Local Group Policy MMC snap in
Start --> run --> gpedit.msc
b. On the left pane, expand the following path:
Local Computer Policy --> Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> User Rights Assignment
c. On the right pane, locate the 'Log on as batch job' entry and double click it.
d. Verify that the group 'IIS_WPG' (or the actual account specified to run the pool) exists in the list. If it isn't, add it using the 'Add user or group' button.
e. Repeat step C and D for the following policies:
i. Access this computer from the network
ii. Bypass traverse checking
f. In some situations, the 'Add user or group' button will be grayed out. The most common causes for this problem are:
i. The account you are using is not member of the local 'Administrators' group
ii. The security policy is applied from the domain. In this case you will need the assistant of you system administrator in order to help you add the relevant account in the relevant group policy object. The relevant group policy object can be identified by launching:
Start --> Run --> rsop.msc
8. Additional troubleshooting steps
a. Check the event log for hints:
Start --> Run --> eventvwr
i. Before each time you test the application, clear the System and Security Log
ii. When starting to troubleshoot, configure auditing for 'Privilege Use':
1. Open Local Group Policy
Start --> Run --> gpedit.msc
2. On the left pane, expand the following path:
Local Computer Policy --> Computer Configuration --> Security Settings --> Local Policies --> Audit Policy
3. On the right pane, double click 'Audit privilege use'
4. Make sure 'Failure' is selected
iii. After each time you test if the application works, check the Security Log for 'Failure Audit' events.
1. Failure Audits from category 'Logon/Logoff' (Event ID 534) indicates that the configured account does not have the 'Logon as Batch Job' security right. Follow step 6.
2. Failure Audits from category 'Logon/Logoff' (event ID 529) indicates that the credentials of the configured accounts (for the application pool or the virtual directory) are incorrect. Try to reconfigure it.
3. Failure Audits from category 'Privilege Use' indicates that the relevant account does not have sufficient privileges. In order to fix this type of error, you will have to open the event and look for the user account and the required privilege. When this event occurs, you will need to identify the right that is specified in the event and map it to the friendly name that is specified in the Group Policy Object Editor. Use Google in order to find the friendly name.
iv. Check the System event log for warning and error events from source W3SVC. Those events will give you a good starting point when looking for further assistant in the web.
b. Use Microsoft's (Sysinternals) ProcMon
i. Logon to console session of the server.
start --> run --> mstsc /console or mstsc /admin (depends on the version)
ii. Verify that you are using the console session
Start --> Run --> taskmgr --> Users tab --> verify that your account's ID is 0 (zero)
iii. Download procmon from the following URL:
http://live.sysinternals.com/procmon.exe
iv. Open procmon, perform the test while procmon is running and look for ACCESS_DENIED entries.
9. Additional resources
a. http://blogs.iis.net/brian-murphy-booth/archive/2007/03/22/how-to-troubleshoot-an-iis-event-id-1009-error.aspx
b. http://www.15seconds.com/Issue/020123.htm
c. http://msdn.microsoft.com/en-us/library/ms178643.aspx
d. http://support.microsoft.com/kb/815166
.jpg)
