Microsoft KB Archive/833001

= Users cannot access Outlook Web Access after you apply security templates from the Security Operations Guide for Windows 2000 =

Article ID: 833001

Article Last Modified on 10/25/2007

-

APPLIES TO


 * Microsoft Exchange Server 2003 Enterprise Edition, when used with:
 * Microsoft Windows 2000 Standard Edition
 * Microsoft Exchange 2000 Server Standard Edition

-





SYMPTOMS
After you apply the Group Policy templates that are described in the Security Operations Guide for Windows 2000, when a Microsoft Outlook Web Access (OWA) user tries to log on to Microsoft Exchange Server 2003, that user receives the following error message:

The page cannot be displayed
There is a problem with the page you are trying to reach and it cannot be displayed.

Please try the following:
 * Open the  home page, and then look for links to the information you want.
 * Click the Refresh button, or try again later.

HTTP 500 - Internal server error

Internet Information Services

Additionally, the following event appears in the security log in Event Viewer on the active cluster node: Event Type: Failure Audit

Event Source: Security

Event Category: Object Access

Event ID: 560

Date:

Time:

User:

Computer:

Description:

Object Open:

Object Server: SC Manager

Object Type: SERVICE OBJECT

Object Name: ClusSvc

Handle ID: -

Operation ID: {0,19279754}

Process ID: 320 [this is services.exe]

Primary User Name: $

Primary Domain:

Primary Logon ID: (0x0,0x3E7)

Client User Name:

Client Domain:

Client Logon ID:

Accesses: READ_CONTROL Query service configuration information Query status of service Enumerate dependencies of service Query information from service

Access



CAUSE
This behavior occurs because the OWA user does not have Read access permissions to the Cluster service (Clussvc.exe) on the cluster node. When you start Exchange Server on a cluster node, the first user to access OWA requires Read permissions to the Cluster service on that node. When you apply the Group Policy templates that are provided in the Security Operations Guide for Windows 2000 to the cluster nodes, this access permission may be removed. Therefore, the OWA user does not have sufficient permissions to sign in to OWA.

This issue may occur when you import and configure the Baseline.inf and the Exchange Backend Incremental.inf security templates in the policy settings that you apply to the server cluster.



RESOLUTION
To resolve this issue, modify the Group Policy object that you used to apply the Group Policy templates from the Security Operations Guide for Windows 2000 to give the OWA users Read access to the Cluster Service. To do this, follow these steps:  Log on to a domain controller, and then start the Active Directory Users and Computers snap-in. Right-click the domain or the organizational unit where your server cluster is located, and then click Properties. Click the Group Policy object that you used to apply the security settings from the Security Operations Guide for Windows 2000, and then click Edit. Expand Computer Configuration, expand Windows Settings, expand Security Settings, and then click System Services. In the right pane, double-click ClusSvc. Click Edit Security, and then click Add.</li> Depending on your environment and depending on your security considerations, add the OWA users, and then click OK.

For example, you may want to add one of the following security groups: <ul> Authenticated Users</li> Domain Users</li> Everyone</li></ul> </li> In the Name list, click the security group that you added, click to clear all the check boxes in the Allow column of the Permissions box, and then click to select the Read check box in the Allow column.</li> Click OK, and then click OK.</li> Exit the Group Policy tool, click Apply, and then click OK.</li> Restart the cluster node computers, or manually update Group Policy on each cluster node.

To manually update Group Policy, run the following command on each cluster node:

secedit /refreshpolicy machine_policy

</li></ol>

<div class="moreinformation_section">

MORE INFORMATION
To obtain the Security Operations Guide for Windows 2000, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=f0b7b4ee-201a-4b40-a0d2-cdd9775aeff8&DisplayLang=en

To obtain the templates that are described in the Security Operations Guide for Windows 2000, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=9989d151-5c55-4bd3-a9d2-b95a15c73e92&DisplayLang=en

Additional query words: XCCC, E2K3, MSCS, front end, front-end, back end, back-end, FE, BE FE/BE, Front-end/Back-end, Frontend/backend, e2k3,

Keywords: kberrmsg kbeventlog kbprb KB833001

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.