global-works
asked on
Virtual Server 2005 R2 administration website giving "access is denied" error
I just installed Virtual Server 2005 R2 on Windows Server 2003, and installed the Virtual Server administrator website on a different server. The administrator website opens up fine, but when I try to connect to the server running Virtual Server, it give me this error:
Could not connect to the Virtual Server on “<server name>”. Access was denied.
You can specify an alternate Virtual Server below.
I tried using dcomcfg.exe to adjust the launch and activation permissions on the "Virtual Server" component on the server running Virtual Server. This resulted in no change.
I also tried changing the identity of the Virtual Server application pool in IIS on the admin website to an admin account. This resulted in the website displaying "Service Unavailable"
Anyone know how to solve this problem?
Could not connect to the Virtual Server on “<server name>”. Access was denied.
You can specify an alternate Virtual Server below.
I tried using dcomcfg.exe to adjust the launch and activation permissions on the "Virtual Server" component on the server running Virtual Server. This resulted in no change.
I also tried changing the identity of the Virtual Server application pool in IIS on the admin website to an admin account. This resulted in the website displaying "Service Unavailable"
Anyone know how to solve this problem?
You have no downlevel DCs? The domain is in 2003 Native mode?
That is an excellent article and following it to the letter will get you the right results.
I take it you made it to page 16 and that's where you are not seeing results? Did you setup contrained delegation on the Virtual server server first?
That is an excellent article and following it to the letter will get you the right results.
I take it you made it to page 16 and that's where you are not seeing results? Did you setup contrained delegation on the Virtual server server first?
ASKER
Yes we are in 2003 Native mode and I did install the admin website with constrained delegation using the Local System option, as well as applying constrained delegation to the VS server as instructed at the bottom of page 15. While attempting to add the VSSRVC service to the delegation tab of the properties for the webserver as instructed in step 8 on page 17, the VSSRVC service is not appearing in the list of available services.
There is a note in the document saying:
If the Virtual Server service is running on the same computer on which you are storing resources files, both of the following procedures will be performed on the same computer in step 3.
This is confusing
There is a note in the document saying:
If the Virtual Server service is running on the same computer on which you are storing resources files, both of the following procedures will be performed on the same computer in step 3.
This is confusing
That note is telling you that if the server you installed Virtual Server on will also contain the virtual hard drives and setting files for the virtual machines, then you'll need to perform both procedures on the server before you move to the web admin server.
I think this might be where you missed something.
I think this might be where you missed something.
ASKER
The only difference that I can see in the two procedures is that for the webserver, you add the VSSRVC service as well as the CIFS service. So, if I'm interpreting your comment and the document correctly, then I should add the VSSRVC service to the delegation tab on the properties of both the VS server as well as the web server. Is that right? If so, the same problem applies, the VSSRVC service does not appear in the list of available services.
I think that's how I read it also.
The VSSRVC is the actual Virtual Server Service - it has to be on the box you installed VS onto.
The VSSRVC is the actual Virtual Server Service - it has to be on the box you installed VS onto.
ASKER
The VSSRVC service is running on the server, its just not appearing on the list of available services.
I just noticed this in the Event Viewer:
Event Source: Virtual Server
Event Category: Virtual Server
Event ID: 1130
Date: 5/4/2006
Time: 9:25:43 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: <SERVERNAME>
Description:
The service principal names for Virtual Server could not be registered. Constrained delegation cannot be used until the SPNs have been registered manually. Error 0x800706ba - The RPC server is unavailable.
I just noticed this in the Event Viewer:
Event Source: Virtual Server
Event Category: Virtual Server
Event ID: 1130
Date: 5/4/2006
Time: 9:25:43 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: <SERVERNAME>
Description:
The service principal names for Virtual Server could not be registered. Constrained delegation cannot be used until the SPNs have been registered manually. Error 0x800706ba - The RPC server is unavailable.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The sever where we installed Virtual Server is not a domain controller, however, I saw another post from someone regarding the same error. Here is a quote from that post:
"after applying "Validated write to service principal name" permission to Network Service account Virtual Server does not log this warning event anymore. I used SETSPN command tool to see if there are any new SPNs registered and the answer is no, so I suppose that VS has some problems with detection of existing SPNs. "
Based on this and the link you sent, I tried using SETSPN to modify the SPNs on the member server running VSSRVC. This worked and did allow me to then add the service to the delegation tab on the domain controller. That seemed to make some progress, as now when I try to connect from the admin website to the VS server, it seems to connect, but I get two messages on the webpage. The first displays at the top of the web page:
The following error occurred:
Access is denied.
Below that it displays:
<ServerName> Recent Events
You do not have permission to access the event viewer.
I have not applied the permissions as indicated in the post I quoted above. I cannot locate any way to add permissions to the Network Service account. Do you know how to do this?
"after applying "Validated write to service principal name" permission to Network Service account Virtual Server does not log this warning event anymore. I used SETSPN command tool to see if there are any new SPNs registered and the answer is no, so I suppose that VS has some problems with detection of existing SPNs. "
Based on this and the link you sent, I tried using SETSPN to modify the SPNs on the member server running VSSRVC. This worked and did allow me to then add the service to the delegation tab on the domain controller. That seemed to make some progress, as now when I try to connect from the admin website to the VS server, it seems to connect, but I get two messages on the webpage. The first displays at the top of the web page:
The following error occurred:
Access is denied.
Below that it displays:
<ServerName> Recent Events
You do not have permission to access the event viewer.
I have not applied the permissions as indicated in the post I quoted above. I cannot locate any way to add permissions to the Network Service account. Do you know how to do this?
If you add it, simply type "Network" when the account search box comes up.
That could be the last missing piece - permissions for Network.
That could be the last missing piece - permissions for Network.
ASKER
Sorry if I'm being dense, but I haven't a clue how to set this permission. I appears to be a permission for an Active Directory object, but I'm not sure about where to go to set it. I see this in the Windows Server 2003: Product Help:
Validated write to service principal name
Applies to: Computer
Description: Validated write permission to enable setting of the SPN attribute which is compliant to the DNS host name of the computer.
Validated write to service principal name
Applies to: Computer
Description: Validated write permission to enable setting of the SPN attribute which is compliant to the DNS host name of the computer.
ASKER
Well, something cleared up and now I can access the server. I never added this permission to the Network Service account, so apparently its not necessary. Although, we'll see if the SPN error appears in the event log.
I think that after you made the SPN change it took a few replication cycles to get sorted out. You might be good to go with this now.
ASKER
Thanks for your help on this.
No problem.
I simply uninstalled .NET Framework 1.1 and the website admin page came back. Strange but true.
We were getting service unavailable on a server we had as a standalone and not on network. We had to change to the local system account in Identities to fix.
ASKER