Microsoft KB Archive/279148

= PRB: Addition of New Application Center Member Fails When Anonymous Password Violates Password Policy =

Article ID: 279148

Article Last Modified on 3/20/2001

-

APPLIES TO


 * Microsoft Application Center 2000 Standard Edition

-



This article was previously published under Q279148



SYMPTOMS
When you add a new member to an Application Center 2000 cluster, the attempt fails with the following error message:

0x800708c5 - The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.

The following success events are logged in the security log of the server that is being added

Event ID: 624 Type: Success Audit Description: User Account Created: New Account Name: %1      New Domain: %2 New Account ID: %3        Caller User Name: %4 Caller Domain: %5         Caller Logon ID: %6 Privileges %7

Event ID: 630 Type: Success Audit Description: User Account Deleted: Target Account Name: %1   Target Domain: %2 Target Account ID: %3     Caller User Name: %4 Caller Domain: %5         Caller Logon ID: %6 Privileges: %7

where %1 is replaced with the Microsoft Internet Information Server (IIS) default anonymous account, usually IUSR_.



CAUSE
The account that IIS uses for default anonymous access on the cluster controller does not meet the length or complexity requirements of the password policy for the server that is being added or for the domain that the server belongs to.



RESOLUTION
You must manually change the password for the cluster controller's default IIS anonymous access account. Microsoft recommends that this password be fifteen characters long with a mixture of capital and lower-case letters, numerals, or punctuation. In instances where a custom Passfilt.dll password filter is being used, the password requirements may be more stringent.

The password must be changed in both the Local Users and Groups MMC snap-in and in the Master Properties of the WWW Service.

To change the password for the WWW Service:
 * 1) From the Internet Information Services MMC snap-in, right-click the server name, and then click Properties.
 * 2) From the Master Properties pull-down list, click WWW Service, and then click Edit.
 * 3) Click the Directory Security tab, and then click Edit to edit the anonymous access and authentication settings.
 * 4) Click Edit Account (for anonymous access).
 * 5) Clear the Allow IIS to control password check box.
 * 6) Enter the new password. The new password must match the password that was entered in Local Users and Groups MMC snap-in.

After the password has been changed in both locations, the new member should be able to join the cluster without error. Once the member is added, IIS can again be configured to control the anonymous account password.



MORE INFORMATION
If the default anonymous user account is a local account on the cluster controller, then the Add Member Wizard will attempt to create a local account with the same name and password on the new member server. The initial default anonymous account, IUSR_MACHINENAME, is a local account with a non-expiring password that was created when IIS was installed on the cluster controller with a randomly generated password. If the cluster controller was not a member of a domain when this account was created, or if the local or domain password requirements changed after the default account was created, you may see the error that is noted in the &quot;Symptoms&quot; section when you try to add a new member to the cluster.

You can reproduce this error as follows:
 * 1) Create a single-node cluster on a server that is a workgroup member and a local account for the IIS default anonymous account.
 * 2) Manually set the default anonymous account password to a value that is illegal for your domain.
 * 3) Join the cluster master to your domain.
 * 4) Attempt to add another domain member server to your cluster.

