Re: ISA Server Error

Tech-Archive recommends: Speed Up your PC by fixing your registry

Hello,

After performing deep research, it is hard to determine what the root cause
is. However, I found the following information that might be helpful.
Please check this:

Please add the NETWORK SERVICE account to the Generate Security Audits
policy in the default domain controller policy under Computer
Configuration\Windows Settings\Security Settings\Account Policies\User
Rights Assignments. Based on my knowledge, NETWORK SERVICE and LOCAL SERVER
should both be included in this policy by default.

If this doesn't resolve the problem, please follow these steps:
1. Please open MMC on the ISA Server (if it's a DC)
2. Click File then Add/Remove snap-in. Click Add.
3. Select Group Policy Object Editor and click Add.
4. In the dialog that pops up leave Group Policy Object as Local Computer
and press Finish.
5. Click Close. Click OK

Or access the Local security policy from administrative tools (if it's not
a DC)

Make sure that Local System and Network Service have rights to generate
security audits under Computer Configuration\Windows Settings\Security
Settings\Account Policies\User Rights Assignments

Hope the information above helps!

Thanks & Regards,

Ken Zhao

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.





--------------------
| Thread-Topic: ISA Server Error
| thread-index: AcbGr/6aMBX/iV66S6iJX6LSYfezWQ==
| X-WBNR-Posting-Host: 209.217.222.70
| From: =?Utf-8?B?U211cmZtYW4=?= <smurfman@xxxxxxxxxxxxxx>
| References: <32ABAAAB-CF8B-41B3-867F-91164376747B@xxxxxxxxxxxxx>
<ubcsBSgwGHA.428@xxxxxxxxxxxxxxxxxxxx>
<85493246-6029-42AA-B0EE-98316D719A82@xxxxxxxxxxxxx>
<WNGflcowGHA.4100@xxxxxxxxxxxxxxxxxxxxx>
<AB26A5B6-0769-4CEF-BB40-7E17552A4285@xxxxxxxxxxxxx>
<gDhkuynxGHA.396@xxxxxxxxxxxxxxxxxxxxx>
| Subject: Re: ISA Server Error
| Date: Wed, 23 Aug 2006 05:31:02 -0700
| Lines: 324
| Message-ID: <310B82DB-85D8-46FA-8E17-01FE67864FBF@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Newsgroups: microsoft.public.isa
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.isa:67794
| NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| X-Tomcat-NG: microsoft.public.isa
|
| You are correct, that is exactly what happened.
|
| But I have concerns in terms of security:
|
| 1) What issues might I have just opened up?
|
| 2) Do I need to worry about it.
|
| 3) I can bet though that if I tried to change it back, then it would
break.
|
| Let me know what your are thinking, it seems that your last statement was
| more of a suprise that making the logon change worked...?
|
| Is there a KB that spells out what access (files and services) that
| Microsoft Firewall needs to have access to? My best guess is that there
is a
| registry key, a file or something else that the NETWORK SERVICE was
| attempting to connect to that was not allowed...?
|
|
| Thanks
| J
|
| ""Ken Zhao [MSFT]"" wrote:
|
| > Hello,
| >
| > Sorry for my delayed response!
| >
| > Do you mean the issue resolved after changing the Microsoft Firewall
| > service from NETWORK SERVICE to Local Server for the logon?
| >
| > Thanks & Regards,
| >
| > Ken Zhao
| >
| > Microsoft Online Partner Support
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader
so
| > that others may learn and benefit from your issue.
| > =====================================================
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| >
| >
| >
| > --------------------
| > | Thread-Topic: ISA Server Error
| > | thread-index: AcbDBTjV8TqCi9rkS3OGKkM1VzNtmg==
| > | X-WBNR-Posting-Host: 209.217.222.70
| > | From: =?Utf-8?B?U211cmZtYW4=?= <smurfman@xxxxxxxxxxxxxx>
| > | References: <32ABAAAB-CF8B-41B3-867F-91164376747B@xxxxxxxxxxxxx>
| > <ubcsBSgwGHA.428@xxxxxxxxxxxxxxxxxxxx>
| > <85493246-6029-42AA-B0EE-98316D719A82@xxxxxxxxxxxxx>
| > <WNGflcowGHA.4100@xxxxxxxxxxxxxxxxxxxxx>
| > | Subject: Re: ISA Server Error
| > | Date: Fri, 18 Aug 2006 13:31:02 -0700
| > | Lines: 351
| > | Message-ID: <AB26A5B6-0769-4CEF-BB40-7E17552A4285@xxxxxxxxxxxxx>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 8bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | Newsgroups: microsoft.public.isa
| > | Path: TK2MSFTNGXA01.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.isa:67695
| > | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| > | X-Tomcat-NG: microsoft.public.isa
| > |
| > | Ken,
| > | Well, it has been an eventful afternoon.
| > |
| > | Here is what I have done.
| > |
| > | 1) Since I am replacing my old Domain Controllers, I noted the
solution
| > in
| > | KB 898720 where the error "Setup failed while creating the services
| > | configuration" this happened during the uninstall, which I finally
got to
| > | work by disabling all the services for ISA and then rebooting. But
it
| > then
| > | happened during the install. Since this machine is a DC, this KB
| > resolved
| > | the install issue.
| > |
| > | 2) Replication is still having some trouble. I noted that I could
not
| > get
| > | the logging to work so that I could see what I was attempting to make
| > work
| > | RPC, LDAP etc etc, the things getting blocked that seem to be needed.
| > |
| > | 3) The new issue was that I could not make firewall rule changes,
even
| > | though I had full ISA admin rights per the delgation. I was getting
this
| > | error "The configuration changes were saved to storage, but at least
one
| > | service failed to load these changes. The event viewer may...". And
| > logging
| > | would not work, since I would get this error, "The Query stopped
because
| > an
| > | error occurred while it was running." I found KB 914957, and called
for
| > the
| > | hotfix (BTW the script has a typo in it, I had to fix the hotfix
| > suggestion.)
| > | This replaced the w3filter.dll and the wspsrv.exe from version
| > 4.0.2165.594
| > | to 4.0.2165.601, this did nothing, still have the same error.
| > |
| > | 4) Searched google for a while, found this link...
| > |
| >
http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_2138
| > 4303.html
| > |
| > | The solution for this person was to change the Microsoft Firewall
service
| > | from NETWORK SERVICE to Local Server for the logon.
| > |
| > | I did this (step 4) restarted Microsoft Firewall and "poof"
everything
| > was
| > | working.
| > |
| > | SO...
| > |
| > | A) What did I just break?
| > | B) What security hole did I just create?
| > | C) Where was the NETWORK SERVICE attempting to go, that it could not?
| > | D) Where is the storage that the Firewall Rules error was referring
to
| > that
| > | could not load the changes?
| > |
| > | Thanks
| > | J
| > |
| > |
| > |
| > | ""Ken Zhao [MSFT]"" wrote:
| > |
| > | > Hello,
| > | >
| > | > Thank you for using newsgroup!
| > | >
| > | > Based on my knowledge, this error message may occur if the
permission
| > for
| > | > the following registry key is incorrect:
| > | >
| > | >
HKEY_LOCAL_MACHINE\Software\Microsoft\Fpc\Arrays\<GUID>\SingaledAlerts
| > | >
| > | > The default permission should be
| > | > Administrators: Full Control
| > | > SYSTEM: Full Control
| > | >
| > | > You may open regedt32, then from the tool bar, select Security and
| > | > Permissions. You can manually add the permission, or check the box
| > "Allow
| > | > inheritable permissions from parent to propagate to this object".
This
| > | > should inherit the same permission (Administrators: Full Control,
| > SYSTEM:
| > | > Full Control) from HKEY_LOCAL_MACHINE\Software\Microsoft\Fpc
| > | >
| > | > Hope that helps!
| > | >
| > | > Thanks & Regards,
| > | >
| > | > Ken Zhao
| > | >
| > | > Microsoft Online Partner Support
| > | > Get Secure! - www.microsoft.com/security
| > | >
| > | > =====================================================
| > | > When responding to posts, please "Reply to Group" via your
newsreader
| > so
| > | > that others may learn and benefit from your issue.
| > | > =====================================================
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| > | >
| > | >
| > | >
| > | >
| > | > --------------------
| > | > | Thread-Topic: ISA Server Error
| > | > | thread-index: AcbCCF40fsudIMh9Ste/exulJ9iYjA==
| > | > | X-WBNR-Posting-Host: 209.217.222.70
| > | > | From: =?Utf-8?B?U211cmZtYW4=?= <smurfman@xxxxxxxxxxxxxx>
| > | > | References: <32ABAAAB-CF8B-41B3-867F-91164376747B@xxxxxxxxxxxxx>
| > | > <ubcsBSgwGHA.428@xxxxxxxxxxxxxxxxxxxx>
| > | > | Subject: Re: ISA Server Error
| > | > | Date: Thu, 17 Aug 2006 07:21:02 -0700
| > | > | Lines: 223
| > | > | Message-ID: <85493246-6029-42AA-B0EE-98316D719A82@xxxxxxxxxxxxx>
| > | > | MIME-Version: 1.0
| > | > | Content-Type: text/plain;
| > | > | charset="Utf-8"
| > | > | Content-Transfer-Encoding: 8bit
| > | > | X-Newsreader: Microsoft CDO for Windows 2000
| > | > | Content-Class: urn:content-classes:message
| > | > | Importance: normal
| > | > | Priority: normal
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | > | Newsgroups: microsoft.public.isa
| > | > | Path: TK2MSFTNGXA01.phx.gbl
| > | > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.isa:67646
| > | > | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| > | > | X-Tomcat-NG: microsoft.public.isa
| > | > |
| > | > | Thanks Shijaz,
| > | > | I think I did this, in fact I reviewed the rights, I added the
| > specific
| > | > user
| > | > | name, and also the domain/domain admins, to have full isa
rights...
| > | > |
| > | > | Oh, also the BUILTIN/Administrators
| > | > |
| > | > |
| > | > | My gut tells me there is something whacky with dns...
| > | > |
| > | > | J
| > | > |
| > | > | "Shijaz" wrote:
| > | > |
| > | > | > >I am getting this error anytime that I attempt to view the
| > dashboard
| > | > or
| > | > | > >make
| > | > | > > a change in ISA 2004...
| > | > | > >
| > | > | > > "Refresh Failed"
| > | > | > > "You do not have the necessary permissions to perform this
| > action."
| > | > | > >
| > | > | > > Yet the user is a domain admin that is logged into the
| > machine...I
| > | > can't
| > | > | > > even monitor the logs, make a rule change or anything.
| > | > | >
| > | > | > Make sure you delegated permissions to this user from the ISA
| > console
| > | > while
| > | > | > you were logged in as the original administrator. To delegate
| > | > permissions,
| > | > | > under "Configuration", choose "General". You will find the
option
| > to
| > | > | > delegate in the middle pane.
| > | > | >
| > | > | > Shijaz Abdulla
| > | > | > MCSE:Security, CCNA
| > | > | > www.shijaz.com/isaserver
| > | > | >
| > | > | >
| > | > | >
| > | > | >
| > | > | >
| > | > | > "Smurfman" <smurfman@xxxxxxxxxxxxxx> wrote in message
| > | > | > news:32ABAAAB-CF8B-41B3-867F-91164376747B@xxxxxxxxxxxxxxxx
| > | > | > >I am getting this error anytime that I attempt to view the
| > dashboard
| > | > or
| > | > | > >make
| > | > | > > a change in ISA 2004...
| > | > | > >
| > | > | > > "Refresh Failed"
| > | > | > > "You do not have the necessary permissions to perform this
| > action."
| > | > | > >
| > | > | > > Yet the user is a domain admin that is logged into the
| > machine...I
| > | > can't
| > | > | > > even monitor the logs, make a rule change or anything.
| > | > | > >I am getting this error anytime that I attempt to view the
| > dashboard
| > | > or
| > | > | > >make
| > | > | > > a change in ISA 2004...
| > | > | > >
| > | > | > > "Refresh Failed"
| > | > | > > "You do not have the necessary permissions to perform this
| > action."
| > | > | > >
| > | > | > > Yet the user is a domain admin that is logged into the
| > machine...I
| > | > can't
| > | > | > > even monitor the logs, make a rule change or anything.
| > | > | > >
| > | > | > >
| > | > | > > I have these entries in the Event log, and I have a feeling
that
| > I
| > | > have
| > | > | > > configured something in the firewall that is not allowing my
| > server
| > | > to get
| > | > | > > authenticated or syncronized with my other servers.
| > | > | > >
| > | > | > > (To understand what I am attempting is that I have built two
new
| > | > machines
| > | > | > > to
| > | > | > > eventually replace two older machines. DC_1 is an old W2K
Domain
| > | > | > > Controller,
| > | > | > > and is being replaced with DC_2 a new W2K3 R2 server. I have
| > already
| > | > | > > built
| > | > | > > this machine, made it a DC in the forest, installed DNS (AD
| > | > integrated),
| > | > | > > but
| > | > | > > have not moved the Global Catalog, or demoted the old server
or
| > moved
| > | > any
| > | > | > > of
| > | > | > > the roles to the new DC_2. This new server seems to be
| > replicating
| > | > just
| > | > | > > fine
| > | > | > > with the others....
| > | > | > >
| > | > | > > ISA_1 is also being replaced (ISA2000 on W2K) with a new W2K3
R2
| > | > server
| > | > | > > with
| > | > | > > ISA 2004 (ISA_2). In my model the old ISA_1 server served as
a
| > | > backup DC
| > | > | > > and
| > | > | > > in our small network this has worked just fine for the past 5
| > years.
| > | > | > > Having
|

.

Relevant Pages