Microsoft Knowledge Base Article
This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved.
Terms
of Use |
Trademarks
Article ID: 279148 - Last Review: March 20, 2001 - Revision: 1.1
PRB: Addition of New Application Center Member Fails When Anonymous Password Violates Password Policy
This article was previously published under Q279148
SYMPTOMS
When you add a new member to an Application Center 2000 cluster, the attempt fails with the following error message:
0x800708c5 - The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.
The following success events are logged in the security log of the server that is being added
Event ID: 624
Type: Success Audit
Description: User Account Created:
New Account Name: %1 New Domain: %2
New Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6
Privileges %7
Event ID: 630
Type: Success Audit
Description: User Account Deleted:
Target Account Name: %1 Target Domain: %2
Target Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6
Privileges: %7
where %1 is replaced with the Microsoft Internet Information Server (IIS) default anonymous account, usually IUSR_
<Cluster Controller name>.
CAUSE
The account that IIS uses for default anonymous access on the cluster controller does not meet the length or complexity requirements of the password policy for the server that is being added or for the domain that the server belongs to.
RESOLUTION
You must manually change the password for the cluster controller's default IIS anonymous access account. Microsoft recommends that this password be fifteen characters long with a mixture of capital and lower-case letters, numerals, or punctuation. In instances where a custom Passfilt.dll password filter is being used, the password requirements may be more stringent.
The password must be changed in both the Local Users and Groups MMC snap-in and in the Master Properties of the WWW Service.
To change the password for the WWW Service:
- From the Internet Information Services MMC snap-in, right-click the server name, and then click Properties.
- From the Master Properties pull-down list, click WWW Service, and then click Edit.
- Click the Directory Security tab, and then click Edit to edit the anonymous access and authentication settings.
- Click Edit Account (for anonymous access).
- Clear the Allow IIS to control password check box.
- Enter the new password. The new password must match the password that was entered in Local Users and Groups MMC snap-in.
After the password has been changed in both locations, the new member should be able to join the cluster without error. Once the member is added, IIS can again be configured to control the anonymous account password.
MORE INFORMATION
If the default anonymous user account is a local account on the cluster controller, then the Add Member Wizard will attempt to create a local account with the same name and password on the new member server. The initial default anonymous account, IUSR_MACHINENAME, is a local account with a non-expiring password that was created when IIS was installed on the cluster controller with a randomly generated password. If the cluster controller was not a member of a domain when this account was created, or if the local or domain password requirements changed after the default account was created, you may see the error that is noted in the "Symptoms" section when you try to add a new member to the cluster.
You can reproduce this error as follows:
- Create a single-node cluster on a server that is a workgroup member and a local account for the IIS default anonymous account.
- Manually set the default anonymous account password to a value that is illegal for your domain.
- Join the cluster master to your domain.
- Attempt to add another domain member server to your cluster.
REFERENCES
For additional information, click the article number below
to view the article in the Microsoft Knowledge Base:
275139Â
(http://kbalertz.com/Feedback.aspx?kbNumber=275139/EN-US/
)
If You Change the IUSR Account on Application Center 2000, Authentication Failures May Result
APPLIES TO
- Microsoft Application Center 2000 Standard Edition
Community Feedback System
Very often, it takes hours to solve a problem. Very often, you've looked high
and low, and have tried a lot of solutions. When you finally found it, chances
are, it was because someone else helped you. Here's your chance to give back.
Use our community feedback tool to let others know what worked for you and what
didn't.
Please also understand that the community feedback system is not warranted to be
correct, it's simply a system that we've built to let people try and help each
other. If something in a feedback response doesn't make sense to you, or you're
not comfortable making changes that the feedback talks about (like registry
edits), please consult a professional.
Thank you for using kbAlertz.com Feedback System.
-- Scott Cate
Be the first to leave feedback, to help others about this knowledge base
article.
(Optional) Name
(Optional)
Public URL Or Email
Comments
No
HTML -- Text Only Please