Microsoft KB Archive/832981

From BetaArchive Wiki

Article ID: 832981

Article Last Modified on 12/3/2007


APPLIES TO

  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Services 5.1
  • Microsoft Internet Information Services 6.0


We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx


Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows XP and Windows Vista


SUMMARY

The CrashOnAuditFail feature is a registry key that can be set to make sure that all auditable events are recorded in the security event log. If an auditable event cannot be logged in the security event log, a stop error (STOP 0xC0000244) occurs. The stop error typically occurs because the security event log is full. After the stop error occurs, non-administrator accounts cannot access the Web sites, and Microsoft Internet Information Services (IIS) returns HTTP 500 error messages until the CrashOnAuditFail key is reset and the security event log is cleared.


SYMPTOMS

When you access a Web site on the server, you receive one of the following error messages.

Error message 1


HTTP 500 - Internal Server Error

Error message 2


HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.

Error message 3


The Local security authority cannot be contacted.

When friendly error messages are turned off in the browser, you may also receive the following error message:

Logon failure: user not allowed to log on to this computer.

CAUSE

This problem occurs if the security event log has reached the maximum log size and the Event Log Wrapping setting is set to Overwrite Events Older than X Days or Do Not Overwrite Events. Because the security event log is full, and the CrashOnAuditFail registry key is set, Microsoft Windows does not permit accounts that are not administrator accounts to log on. When anonymous access is configured, requests to the Web site try to authenticate by using the IUSR_computername and IWAM_computername accounts. These accounts are not administrator accounts.

RESOLUTION

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To resolve this issue, follow these steps:

  1. Save and clear the security event log.
  2. Start Registry Editor.
  3. Locate the following key, and then set the value of this key to 1:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail

  4. Restart the server. The registry changes do not take effect until you restart the server.


STATUS

This behavior is by design.

MORE INFORMATION

The CrashOnAuditFail registry key provides an optional security feature that system administrators can use to review all security events. The valid values for the CrashOnAuditFail key are 0, 1, and 2. The data options are:

  • 0 - Anyone may log on. This is the default value.
  • 1 - Anyone may log on if the system can audit the events and write the events to the security event log. If the security event log is full, the value for the CrashOnAuditFail key is changed to 2, and the server crashes.
  • 2 - Only administrators may log on.

When the security event log becomes full, the server locks itself down so that no auditable events are missed. You can prevent the server lockdown by using one of the following methods. Note, however, that preventing the server lockdown defeats the purpose of the CrashOnAuditFail key.

Note None of the following methods alone resolves the issue. You must follow the steps in the "Resolution" section before you use one of these methods.

  • Set the Event Log Wrapping setting to Overwrite events as needed.
  • Limit the number or types of events that are audited, or disable auditing completely.
  • Set the value for the following registry key to 0:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail


REFERENCES

For additional information about using the CrashOnAuditFail security feature, click the following article numbers to view the articles in the Microsoft Knowledge Base:

140058 How to prevent auditable activities when security log is full


232564 STOP 0xC0000244 when security log full



Additional query words: iis crashonauditfail logon login http 500 security audit events administrators administrator admin registry regedit regedt32 logon failure STOP 0xC0000244 generate attempt

Keywords: kbprb KB832981



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/832981&oldid=201830
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki