locked
CWA 401.2 Error RRS feed

  • Question

  • When I attempt to access the CWA URL I'm presented with the following 
    error: 

    HTTP Error 401.2 - Unauthorized: Access is denied due to server 
    configuration. 
    Internet Information Services (IIS)

    I have gone through the removal and re-installation of the 
    Communicator Web Access role multiple times and the issue persists. 
    The system is a 64-bit Windows 2003 server dedicated to the CWA role; 
    no other OCS roles are running on this system.  Doing some 
    troubleshooting I've discovered that if I add the default DOMAIN 
    \CWAService account to the local Administrators group CWA renders 
    without an issue and I'm able to log into it without issue.  It is 
    only when DOMAIN\CWAService is a standard user, which I believe is the 
    default, is when the issue happens.  This points me in the direction 
    of a security / permissions issue, but where?

    I'm not seeing any events in the event log that would indicate any 
    type of issue loading the cwaauth.dll ISAPI filter nor am I seeing 
    anything regarding permission failure.  Running filemon and regmon I 
    don't see any type of access denied errors.  I'm at a loss as to what 
    is causing this.  This is a fresh intall of OCS within an Exchange 
    2007 environment.  Any assistance would be much appreciated.  I don't 
    really want to run CWA as a local administrator to get this to work.

    It should be noted that this is OCS R2.

    Thanks. 
    -matt 

    Thursday, July 9, 2009 4:07 PM

Answers

  • Matt,

    indeed this is the only policy that this account is part of. However as indicated in the Activation log file located in
    C:\Documents and Settings\%user_that_installed_cwa%\Local Settings\Temp\CWAActivation[2009_05_06][21_01_02].html
    the domain\CWAService account should also be granted the "Logon As Service" right...
    Also, on the CWA Server, the group RTCComponentUniversalServices (the one that DOMAIN\CWAService is member of)should be added to the local group IIS_WPG

    Here is a part from my CWA activation log file, to compare with yours and see if anything went wrong during your service activation. I can email you the complete file if you find it usefull, however i think that if this step does not provide any usefull info for your situation, it will be easier to deactivate, uninstall, delete the AD account and start over your installation, possibly on a clean Windows server to eliminate all possible misconfiguration... here is the part of my log file, hope it helps you out.


    Activate IIS AppPool   Server State: 0x10040016 (ServiceInstalled | ServiceEnabled | DomainAccountCreated | AdTrustedServerCreated | AdServiceSpnReady)
      Success
    Create Service Account CWAService   Service Account: CWAService
    Service Account SAM Name: DOMAIN\CWAService
    Object LDAP: LDAP://CN=CWAService,CN=Users,DC=domain,DC=network
    Domain Controller: iqsrvdc1.domain.network
    Service Account Type: 0x5 (DomainAccount)
    Service State: 0x228 (AccountExists | DomainAccountCreated | UniversalGroupMembershipReady)
      Success
    Create Domain Service Account   Domain Functional Level: Windows 2003 mode or greater
    Global Container DN: CN=Configuration,DC=domain,DC=network
    Global Container Domain DC: iqsrvdc1.domain.network
    Domain DC: iqsrvdc1.domain.network
    Forest GC: iqsrvdc1.domain.network
    Group Domain: domain.network
    Service Account Exists: False
      Success
    Create Local Group Memberships   Action Info: Joined domain group RTCUniversalServerAdmins to machine local group Administrators
    Action Info: Joined domain group RTCUniversalServerAdmins to machine local group RTC Local Administrators
    Action Info: Joined domain group RTCUniversalUserAdmins to machine local group RTC Local User Administrators
    Action Info: Joined domain group RTCUniversalReadOnlyAdmins to machine local group RTC Local Read-only Administrators
    Action Info: Joined domain group RTCComponentUniversalServices to machine local group IIS_WPG
      Success
    Grant Logon As Service Right   Machine: iqsrvocsweb.domain.network
    Service Account Type: 0x5 (DomainAccount)
    Office Communications Server Service Account: DOMAIN\CWAService
    Service State: 0x2A8 (AccountExists | DomainAccountCreated | LogonAsServiceGranted | UniversalGroupMembershipReady)
      Success
    Register SPN       Success
    Register SPN   DN: CN=CWAService,CN=Users,DC=domain,DC=network
    SPN: Not Ready
      Success
    Register SPN       Success
    Register SPN   DN: CN=CWAService,CN=Users,DC=domain,DC=network
    SPN: Not Ready
      Success
    Saturday, July 11, 2009 11:26 AM

All replies

  • Hi MAtt,

    did you create the CWAService account on your own, or was it created during CWA Setup procedure?

    For starters, in AD, the CWAService account should be a member of the RTCComponentUniveersalServices group, together with RTCComponentService and RTCService account used in other server roles.
    Check on that, and since you dont have issues with your other roles, membership in that group should be enough.
    Tell us if this is your case.

    BR

    George
    Friday, July 10, 2009 8:28 AM
  • Hi George:

    Thank you for the response. 

    The CWAService user account was created during the setup.  I have confirmed that the user is a member of the group 'RTCComponentUniversalServices'.  I have also tried making that user a member of the group 'RTCHSUniversalServices', but the issue persists.

    Thanks.
    -matt
    Friday, July 10, 2009 1:20 PM
  • Hey Matt,

    as far as I can see on a CWA Server of mine that is working ok, the domain\CWAService account is granted the right to logon as a batch job.
    Can you verify that this is valid on your local security policy on the CWA hosting server?

    BR
    George
    Friday, July 10, 2009 3:00 PM
  • Hi George:

    No dice.  The DOMAIN\CWAService user account is in the "Log on as a batch job" policy.  Is this the only policy setting this user is a part of on your working installation? 

    Thanks. 
    -matt
    Friday, July 10, 2009 4:18 PM
  • Matt,

    indeed this is the only policy that this account is part of. However as indicated in the Activation log file located in
    C:\Documents and Settings\%user_that_installed_cwa%\Local Settings\Temp\CWAActivation[2009_05_06][21_01_02].html
    the domain\CWAService account should also be granted the "Logon As Service" right...
    Also, on the CWA Server, the group RTCComponentUniversalServices (the one that DOMAIN\CWAService is member of)should be added to the local group IIS_WPG

    Here is a part from my CWA activation log file, to compare with yours and see if anything went wrong during your service activation. I can email you the complete file if you find it usefull, however i think that if this step does not provide any usefull info for your situation, it will be easier to deactivate, uninstall, delete the AD account and start over your installation, possibly on a clean Windows server to eliminate all possible misconfiguration... here is the part of my log file, hope it helps you out.


    Activate IIS AppPool   Server State: 0x10040016 (ServiceInstalled | ServiceEnabled | DomainAccountCreated | AdTrustedServerCreated | AdServiceSpnReady)
      Success
    Create Service Account CWAService   Service Account: CWAService
    Service Account SAM Name: DOMAIN\CWAService
    Object LDAP: LDAP://CN=CWAService,CN=Users,DC=domain,DC=network
    Domain Controller: iqsrvdc1.domain.network
    Service Account Type: 0x5 (DomainAccount)
    Service State: 0x228 (AccountExists | DomainAccountCreated | UniversalGroupMembershipReady)
      Success
    Create Domain Service Account   Domain Functional Level: Windows 2003 mode or greater
    Global Container DN: CN=Configuration,DC=domain,DC=network
    Global Container Domain DC: iqsrvdc1.domain.network
    Domain DC: iqsrvdc1.domain.network
    Forest GC: iqsrvdc1.domain.network
    Group Domain: domain.network
    Service Account Exists: False
      Success
    Create Local Group Memberships   Action Info: Joined domain group RTCUniversalServerAdmins to machine local group Administrators
    Action Info: Joined domain group RTCUniversalServerAdmins to machine local group RTC Local Administrators
    Action Info: Joined domain group RTCUniversalUserAdmins to machine local group RTC Local User Administrators
    Action Info: Joined domain group RTCUniversalReadOnlyAdmins to machine local group RTC Local Read-only Administrators
    Action Info: Joined domain group RTCComponentUniversalServices to machine local group IIS_WPG
      Success
    Grant Logon As Service Right   Machine: iqsrvocsweb.domain.network
    Service Account Type: 0x5 (DomainAccount)
    Office Communications Server Service Account: DOMAIN\CWAService
    Service State: 0x2A8 (AccountExists | DomainAccountCreated | LogonAsServiceGranted | UniversalGroupMembershipReady)
      Success
    Register SPN       Success
    Register SPN   DN: CN=CWAService,CN=Users,DC=domain,DC=network
    SPN: Not Ready
      Success
    Register SPN       Success
    Register SPN   DN: CN=CWAService,CN=Users,DC=domain,DC=network
    SPN: Not Ready
      Success
    Saturday, July 11, 2009 11:26 AM
  • Hi George:

    Thanks for the output.  Unfortunately, it looks like my log mirrors your log.  I also double-checked all the settings it sets and they are reflected within the system.  I'm going to probably uninstall the CWA role and then re-install, creating a different user to see if it works.  If that fails, then I will most likely attempt this with a clean install of Windows; however, this is the second clean install of Windows I've tried this with, so hopefully the third time will be a charm :)

    Thanks. 
    -matt
    Wednesday, July 15, 2009 1:25 PM
  • Matt

    take a look at the IIS logs. I have seen this a couple of times. but often am able to find the problem by looking at the Log files with in IIS. I would start there.
    mitch
    Wednesday, July 15, 2009 1:38 PM
  • Hi Mitch:

    The IIS log reflets the same error, 401, with no other good data to go off of.  When you've seen this error, what was the fix usually? 

    Thanks.
    -matt
    Thursday, July 16, 2009 1:17 PM
  • Matt often times it was simply permissions on the directory or a problem with IIS authentication. I can usually reveiw the log and find where or which directory the 401 was passed at. and then look at the directory to see it has the correct permissions. So on the lines that say 401, can you see what directory or path it was trying to hit. Also check to see that you have the correct auth methods. i.e. windows authentication, and or Basic depending on what you are doing.
    Mitchr |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
    Thursday, July 16, 2009 2:15 PM
  • Hi Guys,

    What worked for me, was ensuring the CWAService account created at install was part of the RTCUniversalAdmins group and it was allowed to "Log on as a service".

    Regards,

    Kirk
    Monday, July 20, 2009 10:28 PM
  • Hi Kirk:

    That works for me, too.  That's pretty much the same as having the user in the local administrators group directly as the RTCUniversalServerAdmins group is a member of the local admins group on the system.  I'm at a loss at this point in running the CWA site with a lower set of privileges than administrator.  Unfortunately, it looks like this is the best option aside from not using CWA.  

    Thanks to everyone for all the input. 

    -matt
    Friday, July 24, 2009 11:56 PM
  • Also make sure that the CWAService account is granted the "Logon as a Batch Job" right locally to the server.  You shouldn't have to make the account a full Administrator of the local server.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Saturday, July 25, 2009 12:36 PM
    Moderator