Windows Server 2008 Default Impersonation Level Must Be Identify

Posted on Posted in General, SharePoint 2007

If you’re configuring a Windows Server 2008 environment with SharePoint 2007 and are planning on using Kerberos make sure that you do NOT set the default impersonation level for the server to delegate as recommended in this support article: http://support.microsoft.com/kb/953130 (note that Microsoft is working on updating this support article to reflect the differences with Windows Server 2008).  If you do make this change then you will run into all kinds of issues with timer job related activities such as creating web applications and applying hotfixes or service packs. 

The following is an example of what you’ll find in your log files if you attempt install a hotfix or service pack:

SPHierarchyManager] [DEBUG] [8/5/2008 1:00:48 PM]: ——————- Begin Growing Tree ——————-
[SPManager] [DEBUG] [8/5/2008 1:00:48 PM]: Using cached [SPWebApplication Name=SharePoint Teams (80) Parent=SPWebService] CanUpgrade value: True.
[SPManager] [DEBUG] [8/5/2008 1:00:48 PM]: Using cached [SPWebApplication Name=SharePoint Teams (80) Parent=SPWebService] NeedsUpgrade value: False.
[SPManager] [ERROR] [8/5/2008 1:00:48 PM]: Upgrade [SPWebApplication Name=SharePoint Teams (80) Parent=SPWebService] failed.
[SPManager] [ERROR] [8/5/2008 1:00:48 PM]: Access is denied.
[SPManager] [ERROR] [8/5/2008 1:00:48 PM]:    at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_IsContainer()
   at System.DirectoryServices.DirectoryEntries.ChildEnumerator..ctor(DirectoryEntry container)
   at System.DirectoryServices.DirectoryEntries.GetEnumerator()
   at Microsoft.SharePoint.Administration.SPIisWebSite.LookupByServerComment(String serverComment, Int32& instanceId)
   at Microsoft.SharePoint.Administration.SPWebApplication.GetLocalIisWebSites()
   at Microsoft.SharePoint.Upgrade.SPWebApplicationSequence.AddNextLevelObjects()
   at Microsoft.SharePoint.Upgrade.SPHierarchyManager.Grow(SPTree`1 root, Boolean bRecursing)
   at Microsoft.SharePoint.Upgrade.SPHierarchyManager.Grow(SPTree`1 root)
   at Microsoft.SharePoint.Upgrade.SPManager.Upgrade(Object o, Boolean bRecurse)

 

The following is an example of some of the errors you may find in your event logs as the result of various timer job failures:

Log Name:      Application
Source:        Windows SharePoint Services 3
Date:          7/21/2008 5:34:52 PM
Event ID:      6398
Task Category: Timer
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Test-SPWFE1
Description:
The Execute method of job definition Microsoft.Office.Server.Administration.ApplicationServerAdministrationServiceJob (ID 7d6130ec-41cf-4c9c-9fe2-1d1d43c276e0) threw an exception. More information is included below.

Access is denied.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Windows SharePoint Services 3" />
    <EventID Qualifiers="0">6398</EventID>
    <Level>2</Level>
    <Task>964</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2008-07-21T23:34:52.000Z" />
    <EventRecordID>3106</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Test-SPWFE1</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Microsoft.Office.Server.Administration.ApplicationServerAdministrationServiceJob</Data>
    <Data>7d6130ec-41cf-4c9c-9fe2-1d1d43c276e0</Data>
    <Data>Access is denied.
</Data>
  </EventData>
</Event>

——————————-

Log Name:      Application
Source:        Office SharePoint Server
Date:          7/21/2008 5:34:52 PM
Event ID:      7076
Task Category: Office Server Shared Services
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Test-SPWFE1
Description:
An exception occurred while executing the Application Server Administration job.

Message: Access is denied.

Techinal Support Details:
System.Runtime.InteropServices.COMException (0x80070005): Access is denied.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_IsContainer()
   at System.DirectoryServices.DirectoryEntries.CheckIsContainer()
   at System.DirectoryServices.DirectoryEntries.Find(String name, String schemaClassName)
   at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.Find(String name)
   at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.get_Item(String name)
   at Microsoft.SharePoint.Administration.SPProvisioningAssistant.ProvisionIisApplicationPool(String name, ApplicationPoolIdentityType identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime)
   at Microsoft.SharePoint.Administration.SPMetabaseManager.ProvisionIisApplicationPool(String name, Int32 identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime)
   at Microsoft.Office.Server.Administration.SharedWebServiceInstance.CreateSharedWebServiceApplicationPool(SharedResourceProvider srp)
   at Microsoft.Office.Server.Administration.ApplicationServerJob.ProvisionLocalSharedServiceInstances(Boolean isAdministrationServiceJob)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Office SharePoint Server" />
    <EventID Qualifiers="0">7076</EventID>
    <Level>2</Level>
    <Task>1328</Task>
    <Keywords>0x80000000000000</Keywords>
&#
160;   <TimeCreated SystemTime="2008-07-21T23:34:52.000Z" />
    <EventRecordID>3105</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Test-SPWFE1</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Access is denied.
</Data>
    <Data>System.Runtime.InteropServices.COMException (0x80070005): Access is denied.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_IsContainer()
   at System.DirectoryServices.DirectoryEntries.CheckIsContainer()
   at System.DirectoryServices.DirectoryEntries.Find(String name, String schemaClassName)
   at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.Find(String name)
   at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.get_Item(String name)
   at Microsoft.SharePoint.Administration.SPProvisioningAssistant.ProvisionIisApplicationPool(String name, ApplicationPoolIdentityType identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime)
   at Microsoft.SharePoint.Administration.SPMetabaseManager.ProvisionIisApplicationPool(String name, Int32 identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime)
   at Microsoft.Office.Server.Administration.SharedWebServiceInstance.CreateSharedWebServiceApplicationPool(SharedResourceProvider srp)
   at Microsoft.Office.Server.Administration.ApplicationServerJob.ProvisionLocalSharedServiceInstances(Boolean isAdministrationServiceJob)</Data>
  </EventData>
</Event>

———————————-

Log Name:      Application
Source:        Office SharePoint Server
Date:          7/21/2008 5:34:51 PM
Event ID:      6482
Task Category: Office Server Shared Services
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Test-SPWFE1

Description:
Application Server Administration job failed for service instance Microsoft.Office.Server.Search.Administration.SearchAdminSharedWebServiceInstance (c8e14f74-dd92-4c7e-8ab0-f696e65886e5).

Reason: Access is denied.

Techinal Support Details:
System.Runtime.InteropServices.COMException (0x80070005): Access is denied.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_IsContainer()
   at System.DirectoryServices.DirectoryEntries.CheckIsContainer()
   at System.DirectoryServices.DirectoryEntries.Find(String name, String schemaClassName)
   at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.Find(String name)
   at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.get_Item(String name)
   at Microsoft.SharePoint.Administration.SPProvisioningAssistant.ProvisionIisApplicationPool(String name, ApplicationPoolIdentityType identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime)
   at Microsoft.SharePoint.Administration.SPMetabaseManager.ProvisionIisApplicationPool(String name, Int32 identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime)
   at Microsoft.Office.Server.Administration.SharedWebServiceInstance.Synchronize()
   at Microsoft.Office.Server.Administration.ApplicationServerJob.ProvisionLocalSharedServiceInstances(Boolean isAdministrationServiceJob)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Office SharePoint Server" />
    <EventID Qualifiers="0">6482</EventID>
    <Level>2</Level>
    <Task>1328</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2008-07-21T23:34:51.000Z" />
    <EventRecordID>3104</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Test-SPWFE1</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Microsoft.Office.Server.Search.Administration.SearchAdminSharedWebServiceInstance</Data>
    <Data>c8e14f74-dd92-4c7e-8ab0-f696e65886e5</Data>
    <Data>Access is denied.
</Data>
    <Data>System.Runtime.InteropServices.COMException (0x80070005): Access is denied.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_IsContainer()
   at System.DirectoryServices.DirectoryEntries.CheckIsContainer()
   at System.DirectoryServices.DirectoryEntries.Find(String name, String schemaClassName)
   at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.Find(String name)
   at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.get_Item(String name)
   at Microsoft.SharePoint.Administration.SPProvisioningAssistant.ProvisionIisApplicationPool(String name, ApplicationPoolIdentityType identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime)
   at Microsoft.SharePoint.Administration.SPMetabaseManager.ProvisionIisApplicationPool(String name, Int32 identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime)
   at Microsoft.Office.Server.Administration.SharedWebServiceInstance.Synchronize()
   at Microsoft.Office.Server.Administration.ApplicationServerJob.ProvisionLocalSharedServiceInstances(Boolean isAdministrationServiceJob)</Data>
  </EventData>
</Event>

9 thoughts on “Windows Server 2008 Default Impersonation Level Must Be Identify

  1. We had this very problem today. Unfortunately, Kerberos doesn’t seem to work without it. Any ideas on getting around this problem and keeping Kerberos?

  2. Something else is wrong if you need this to get Kerberos working. I’d start from the beginning and make sure that you have all the basics covered (correct SPNs, delegation, DCOM settings, etc.).

  3. Is there a resolution to this issue yet???

    I have a MOSS 2007 installation with all the latest SP’s and CU’s and am still experiencing the event id’s you describe above Gary???

    When you say:
    “make sure that you do NOT set the default impersonation level for the server to delegate as recommended in this support article:” I presume you mean the delegation setting in Active Directory Users and Computers and not the SSP delegation settings?

    STSADM -o set-ecssecurity -ssp SharedServices1 -accessmodel delegation

    Thanks…

  4. An old post, but still proving useful! Thank you for documenting this. After switching my DCOM default impersontation level back to ‘identify’ I can successfully continue my installation. Whoop! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

*