FSSPUsernameFilter.dll failed to load

  • Article

A common issue that we see affecting customers running Forefront for SharePoint, is the error “FSSPUsernameFilter.dll failed to load” or similar, being logged repeatedly to the Application Event log. This can also prevent a Website/Application Pool to fail to load.

 

This error is normally caused because one of the Web Sites/Application pools, is trying to load the ISAPI DLL – “FSSPUsernameFilter.dll”, but is unable to do so successfully.

 

By default, when Forefront is installed on a SharePoint server, the Forefront ISAPI Filter, is installed in the root level of IIS. As such, all web sites created below this, inherit this ISAPI filter.

 

The ISAPI filter can be seen in the IIS manager:-

 

image

 

 

Normally the reason that this ISAPI Filter cannot load correctly is due to NTFS permissions. To troubleshoot NTFS permissions, my personal “tool of choice” is process monitor from system internals, (available here).

 

Using Process Monitor to capture at least one instance of the error being logged to the Application Event log, I will create a new filter, (CTRL-L), for all entries which have a path which contains the string, “FSSPUsernameFilter.dll”:-

 

image

 

In the filtered log, we will probably see something similar to the following:-

image

 

Double clicking one of these entries, we can see exactly which user account is requesting access and what access it is requesting:-

image

image

 

(If the user account does not appear as a “normal” user account, but rather as an IIS user account or Application Pool Identity, (IIS APPPOOL\DefaultAppPool), as in the example above, please see Application Pool Identities)

 

Once we have the username for the account that is failing, we then need to ensure that this has permission to access the FSSPUsernameFilter.dll file, located by default in the “C:\Program Files\Microsoft Forefront Protection for SharePoint” folder. This is done in the normal way to set NTFS permissions. This account should be configured with “Read, Read & Execute” permission to this file.

 

For further details regarding permissions within Windows, please see:- Managing Permissions

Finally, we need the w3wp.exe processes to be restarted, in order for them to pick up . The easiest way to do this is to open a command prompt with elevated privileges and run the command “iisreset”. Please note, when the IISReset command is run, the w3wp.exe processes will be stopped and will then restart again with the next request made to the website. During this time, your webpages will temporarily be unavailable, but normally this runs fairly quickly.

 

Any comments and/or constructive feedback are most welcome.