HTTP Error 503 Accessing Company Web on SBS 2011 Standard

[Today's post comes to us courtesy of Justin Crosby and Damian Leibaschoff from Commercial Technical Support]

If your SharePoint service account passwords ever become out-of-sync, you will have issues trying to access https://companyweb. The most common error you will see is “HTTP Error 503. The service is unavailable. ” While this is the most common symptom, there are also several others depending on where you look and what account is out-of-sync, we have included many more symptoms toward the end of this post.

Background Information

In SBS 2011, we use 3 different accounts to run Windows SharePoint Foundation. The accounts we use are spfarm, spsearch, and spwebapp. For security reasons the passwords on these accounts are periodically reset. SharePoint manages the spsearch and spwebapp accounts and the Windows SBS Manager service manages the spfarm account. All of these accounts can be found under MyBusiness > Users > SBS Users.

Display Name

Logon Account

SharePoint Farm Account

spfarm

SharePoint Search Service Account

spsearch

Windows SBS Internal Web site Account

spwebapp

The password for spfarm is reset every 7 days that the Windows SBS Manager service is running. The passwords or spsearch and spwebapp are reset the first day of each month.

In addition to these passwords being stored in AD, they are also kept in the SharePoint configuration database and the services database. Due to this, the passwords can become out of sync. Passwords may get out of sync or expire due to the following causes:

  • A SharePoint database is restored that contains an out of date password.
  • The Windows SBS Manager service is broken/disabled.
  • The Windows SBS Manager is never allowed to run more than 7 days (server is rebooted ever <7 days).
  • The accounts passwords expire due to a combination of password expiration policy and date change. I.e. your passwords must be reset every 180 days and you change the date by more than 180 days.
  • You change your password policy to require passwords be changed more often than every 31 days.
  • Failed migration.

Of all these possible causes, the most common is restoring a database that contains an old password.

To check if your passwords are in sync, run the SharePoint 2010 Management Shell as an administrator. From the powershell then run Repair-SPManagedAccountDeployment. If one or more of the passwords is out-of-sync it will return an error.

clip_image002

Resolution

If you receive an error that your passwords are out of sync, perform the following steps for each out-of-sync account to resolve the issue.

  1. Reset the AD password for the out-of-sync account(s), the accounts can be found under MyBusiness>Users>SBSUsers. Please see above for more information on the accounts.  Note: Be sure to uncheck "User must change password at next logon"
  2. Sync the password for the account(s) from elevated SharePoint 2010 Management Shell (replace accountname with the affected account):
    Set-SPManagedAccount -UseExistingPassword -Identity $env:userdomain\accountname
  3. Run repair to verify that passwords are synced:
    Repair-SPManagedAccountDeployment
  4. IISreset /noforce

Symptoms

If your passwords are out of sync you may receive one or more of the following errors:

Log Name: System
Source: Microsoft-Windows-WAS
Event ID: 5002
Level: Error
Computer: server.domain.local
Description: Application pool 'SBS Sharepoint AppPool' is being automatically disabled due to a series of failures in the process(es) serving that application pool.

Log Name: System
Source: Microsoft-Windows-WAS
Event ID: 5021
Level: Warning
Computer: server.domain.local
Description: The identity of application pool SBS Sharepoint AppPool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.

Log Name: System
Source: Microsoft-Windows-WAS
Event ID: 5057
Level: Warning
Computer: server.domain.local
Description: Application pool SBS Sharepoint AppPool has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
Computer: server.domain.local
Description: An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: SERVER$
Account Domain: domain
Logon ID: 0x3e7
Logon Type: 4
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: spwebapp
Account Domain: domain
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a

Following services may fail to start with a logon failure:

  • SharePoint 2010 VSS Writer
  • SharePoint 2010 Timer
  • SharePoint Foundation Search V4

Update

9/9/2011:  We have identified another cause of the 503 error and have detailed it here: https://blogs.technet.com/b/sbs/archive/2011/09/01/an-uncommon-reason-why-browsing-companyweb-may-fail-with-http-error-503-on-sbs-2011-standard.aspx.