locked
Permission problem with new WSS WFE RRS feed

  • Question

  • Ï have WSS 3.0 installed on a single server (SQL is installed in the same box).
    Since we have a new application running on a different box that needs Sharepoint installed on the same machine, I've decided to install a web frontend on this second machine to access a specific sharepoint web site.
    When I try to access this web site through the new WFE I get the message "Cannot connect to the configuration database."
    In the Application Event Log I get the message "SQL database login failed. Additional error information from SQL Server is included below. Login failed for user 'DOMAIN\SERVER$'." (ID 3351). Again, this happens in the second server, on the original WSS server the web site runs ok.

    I see that the site's Application Pool runs under "Network Service" and I suppose that's the reason. I guess that App Pool has to run under a domain account.

    I such a case, my question is: what privileges do I have to give that account ant to which WSS databases?

    Thanks
    Friday, May 13, 2011 5:16 PM

Answers

All replies

  • Hi Ghechem,

    Can you confirm whether the WSS 3.0 setup a farm installation or a single server installation with SQL express?

    Thanks!


    BlueSky2010
    Friday, May 13, 2011 5:27 PM
  • The first server was installed as single server, but using a full SQL which had been previously installed (no SQL express).

    The second one was (obviously) installed as a WFE added to an existing farm.

    Friday, May 13, 2011 6:06 PM
  • Ghechem,

    The application pool account mush have standard rights in order to run the application pool with read and write access to sql server. The following rights are required by application pool identity.

    • Must of a member of IIS_WPG, SPS_WPG and STS_WPG
    • Must be a db_owner on the databases: configuration database, SSP database, site collection database

    When you say"Installed WFE", do you mean "adding a new server to farm"? How did you add the new server to the farm? The farm in this case is a single server. Did you run sharepoint technologies wizard?

    If the website was running properly before you added new server to the farm, it might be because of the service account that might have switched to network service from the actual service account. You could check by navigating to IIS, right click the application pool and click on properties. This would display the account the application pool is running. Try to switch it to the other account, instead of network service and see if it runs. Hope this helps.

     


    V
    Friday, May 13, 2011 7:16 PM
  • OK, I'll try to clarify.
    The first server was installed as stand-alone. Application Pools always ran under Network Service (they still do).
    I then installed the Web Front End on the second server. The wizard automatically created on the second servers' IIS the same web sites that existed on the first's, with the same security configuration.
    To summarize, on both servers the App Pools run under Network Service. The web site works fine on the first one (the one which also runs SQL), but not on the second one.
    Friday, May 13, 2011 7:28 PM
  • I would suggest you to create a new service account with the above permissions. Assign the account to the application pools.

    You can change the service account by navigating to Central administration -> operations -> services accounts.


    V
    Friday, May 13, 2011 7:35 PM
  • Ok, I already did that.

    The site for which I changed the app pool's account is now prompting for credentials when I try to browse it.

    In the server's Securty Event Viewer I "failure audit" events (ID 529 related to Kerberos).

    Some problem with SPN perhaps?

    Thursday, May 19, 2011 2:31 PM
  • Is the account a member  member of IIS_WPG, SPS_WPG and STS_WPG? Also, is the machine in the domain? 

    If the above two look fine, might be an SPN issue. Take a look at this article. http://littletalk.wordpress.com/2010/02/24/kerberos-lesson/

     


    V
    • Marked as answer by David HM Monday, May 23, 2011 1:31 AM
    Thursday, May 19, 2011 2:42 PM