NT AUTHORITY/NETWORK SERVICE missing from IIS_WPG

227 views
Skip to first unread message

Michael Carr

unread,
Feb 10, 2004, 6:25:55 PM2/10/04
to
I have a fresh installation of Server 2003 as a Domain Controller,
SharePoint, and Unix Services for Windows 3.5. I tried to install a .NET/DB
application and received the common error that "Logon failed for NT
AUTHORITY/NETWORK SERVICE." Typically when I receive this error I simply add
IIS_WPG to SQL's logins and all is well. However, this time it didn't work.
Upon further investigation, I noticed that NETWORK SERVICE (and the other NT
AUTHORITY accounts) were missing from IIS_WPG. When I tried to re-add the
NETWORK SERVICE user as a member of the IIS_WPG group, I was not given the
option of adding an object of type "Built-in Security Principals" so the
object was not found. I'm not exactly sure how NETWORK SERVICES got removed
from IIS_WPG in the first place, but now that it's gone, how do I add it
back if I can't get to it?

Thanks,
Michael Carr


David Wang [Msft]

unread,
Feb 11, 2004, 12:21:54 AM2/11/04
to
This is an issue specific to running IIS6 on Domain Controller due to how
groups on DCs become domain groups, and local identities cannot be in domain
groups. You basically have to make sure whatever you use as AppPool
Identity must exist everywhere that IIS_WPG has an ACL, and everywhere you
would have used IIS_WPG, you now have to use the specific AppPool Identity.

Using the built in AppPoolIds, we have placed them in all the necessary
places (if not, that's a bug). If you use a custom AppPoolId, you will have
to figure out where all the ACLs need to go.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Michael Carr" <mc...@umich.edu> wrote in message
news:%23Q8Lw0C...@TK2MSFTNGP11.phx.gbl...

Ken Schaefer

unread,
Feb 11, 2004, 7:48:24 AM2/11/04
to
Can you use this technique on Windows 2003?
http://support.microsoft.com/?id=292781

Cheers
Ken


"David Wang [Msft]" <som...@online.microsoft.com> wrote in message
news:%23780RGG...@TK2MSFTNGP11.phx.gbl...
: This is an issue specific to running IIS6 on Domain Controller due to how

:
:
:


Michael Carr

unread,
Feb 11, 2004, 8:20:05 AM2/11/04
to
Ken,


I tried it but got the following message:

C:\>net localgroup IIS_WPG "nt authority\network service" /add
System error 1388 has occurred.

A new member could not be added to a local group because the member has the
wrong account type.


Regards,
Michael Carr


"Ken Schaefer" <kenR...@THISadOpenStatic.com> wrote in message
news:O5gsW1J8...@TK2MSFTNGP12.phx.gbl...

Reply all
Reply to author
Forward
0 new messages