Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

EventID 2266; SeTcbPrivilege permission is missing

266 views
Skip to first unread message

Lars Kappenberg

unread,
Apr 4, 2005, 8:54:44 AM4/4/05
to
Hi *!

I recently looked through the event log entries an found an entry regarding

Event ID 2266 and Event source W3SVC-WP

--> here is the original event log entry (sorry, this is german) --->
Ereignistyp: Warnung
Ereignisquelle: W3SVC-WP
Ereigniskategorie: Keine
Ereigniskennung: 2266
Datum: 04.04.2005
Zeit: 04:30:03
Benutzer: Nicht zutreffend
Computer: KS01
Beschreibung:
Das Konto, unter dem der aktuelle Arbeitsprozess ausgeführt wird, verfügt
nicht über die SeTcbPrivilege-Berechtigung. Die anonyme
Kennwortsynchronisations- und die Digest-Funktion sind deaktiviert.
<-- down to here <---

Roughly translated:
The SeTcbPrivilege permission is not granted to the account of the currect
worker process. The control of the password for the Anonymous account and
the digest function will be disabled.

I googled a bit (does that word exist?) and found an article at Mircosoft
Support:
http://support.microsoft.com/kb/332167/en-us

But I partly don't understand what do to:

Beside OWA, OMA uand Remote Access we are running a few websites on the
server which are set to anonymous authentication.

What do I have to do?

According to the above article there are three ways:
a) keep Sub-Authentication disabled?
"By default, IIS 6.0 does not enable sub-authentication because using the
component involves some security risk."
b) Sub-Authentication on IIS6 in IIS 5 Isolation Mode
or
c) Sub-Authentication on an IIS6 in worker process isolation mode

...the difference between b) and c) is not clear to me.

We are running a localized german version von SBS 2k3 Premium which was
upgraded from SBS 2k in December. Is anybody stumbled on this topic after
upgrading to SBS 2k3?

Kind regards,
Lars


Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]

unread,
Apr 5, 2005, 2:07:53 AM4/5/05
to
www.eventid.net

Sign up for the service...it's worth EVERY penny.

PaulD (Last update 3/8/2005):
Most probably, you have problems with the OWA password functionality.
See Q833734 for a hotfix applicable to Microsoft Internet Information
Services 6.0.

Q332167 provides information on how to configure IIS to control the
Anonymous password. To check your IIS see the Authentication and Access
Control Diagnostics 1.0 (AuthDiag) link.

Ionut Marin (Last update 12/9/2003):
From a newsgroup post: "SeTcbPrivilege is equivalent to "Act as part of
the operation system". This error means that one of your application
pools is running as an account that does not have this right. On
Exchange, the DefaultAppPool and the ExchangeMobileBrowseApplicationPool
both run under the well known account Network Service, while the
ExchangeApplicationPool runs under Local System. Both accounts should
have this right by default. It is likely that the identity that an
application pool is running under is not one of these two. To check,
open Internet Services Manager, and browse until you see Application
Pools. Pull up properties of each of these listed and check the account
on the identity tab. If it’s not the ones listed above then change it".

From a newsgroup post: "The account that the current worker process is
running under, does not have the “SeTcbPrivilege” privilege; the
anonymous password sync feature and the Digest authentication feature
are disabled. This can be caused by some entries in the metabase that
are incorrect or by an incorrect identity setting.

1. First, check to make sure the Default Application pool in IIS is
using the correct Security Account to logon by following these steps:
A. Go to Start, Programs, Administrative Tools and double click on
Internet Information Services Manager.
B. Expand your server name.
C. Expand Application Pools.
D. Right click on the DefaultAppPool and go to Properties.
E. Click on the Identity tab and make sure the radio button "Predefined"
is marked and the account listed in the drop down box is "Network
Service". If it is not, change it and stop and start IIS, then check the
event logs for the error. If it is, go to step 2.

2. Go to the “C:\Windows\System32\Inetsrv” directory. Right click on the
“metabase.xml” file and click on Edit. This will open the file in Notepad.
A. Search for "AnonymousPasswordSync". Set any instance you find of this
to “False”.
B. Search for "UseDigestSSP". For any instance you find of this set it
to “True”. Save the event logs and clear them, then reboot the server
and check to see if the Event ID 2266 error reappears.

Note: To be able to open the “metabase.xml” in notepad and be able to
save the changes, you will need to open Start/Administrative
Tools/Internet Information Services (IIS) Manager then right click on
the server name and select Properties. Check the box for Enable Direct
Metabase Edit and then click on OK. After you are finished making any
changes to the metabase I would recommend that you go back and uncheck
the setting. Also, I would suggest before making any changes to the
metabase that while you are in the IIS MMC that you right click on the
server and select All Task/Backup/Restore Configuration and make a
backup of the metabase before opening it in Notepad".

--
An open letter to the Security Community::
http://msmvps.com/bradley/archive/2004/12/12/23540.aspx

Jerry zhao (MSFT)

unread,
Apr 5, 2005, 4:00:02 AM4/5/05
to
Hi Lars,

Thank you for the post.

This newsgroup is mainly for the English version user, For non-English
version user, perhaps a community member or a MVP can help, I still want to
recommend that you use your local support options.

I have noticed that you are using German version SBS, so you can post in
the newsgroup Microsoft.public.de.windows.server.sbs, If you access the
newsgroup via IE, please visit the following URL:

http://support.microsoft.com/newsgroups/newsReader.aspx?lang=de&cr=DE&dg=mic
rosoft.public.de.windows.server.sbs&sloc=en-us

You may also want to contact the local CSS support for further assistance.

For a complete list of Microsoft Product Support Services phone numbers and
information about support costs, visit the following Microsoft Web site:
http://support.microsoft.com/default.aspx?scid=fh;[LN];CNTACTMS

If there is anything else that I can do for you, please feel free to
contact me, and I will be happy to help!

Best regards,

Jerry Zhao (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Lars Kappenberg

unread,
Apr 5, 2005, 2:15:26 PM4/5/05
to
Susan, you're great!

Ionut Marin's Tip did it.

> Sign up for the service...it's worth EVERY penny.

Be sure I will do that!

Thank you very much!

Lars


Jerry zhao (MSFT)

unread,
Apr 5, 2005, 9:18:20 PM4/5/05
to
Hi Lars,

Thanks for your kind response and thanks Susan for the answer.

I'm glad to hear that the problem was resolved.

As always, please do post back here again if anything we can still be help.
Susan,

0 new messages