Article ID: 886213 - View products that this article applies to.
When you try to install a Microsoft Systems Management Server (SMS) 2003 Management Point role on a Microsoft Windows Server 2003-based domain controller, you may experience the following symptoms:
For example, you try to use Microsoft Internet Explorer to access the following URL:
http://name of the SMS 2003 Management Point/sms_mp/.sms_aut?mplistIn this case, you may receive the following error message:
Additionally, the Mpcontrol.log file that is located in the \SMS\Logs folder on the SMS 2003 site server may contain the following error:
401.3 Unauthorized due to ACL on resource
Http verification .sms_aut failed with status code 401, Unauthorized $$<SMS_MP_CONTROL_MANAGER><date time year time zone><thread=2648 (0xA58)>
This behavior occurs if the following two domain user accounts have Log on restrictions set on one of more computers that are members of the domain:
The IWAM_name of the domain controller and the IUSER_name of the domain controller domain accounts are copies the domain Guest account and are created during the IIS Setup process. Therefore, when you make changes to the domain Guest account before you install IIS on a domain controller, the changes are inherited by the IWAM_name of the domain controller domain account and the IUSER_name of the domain controller domain account during the IIS installation process. Additionally, you must make sure that the IWAM_name of the domain controller domain account is included as part of the domain's IIS_WPG group. If IIS is removed from the domain controller computer, the removal process also removes the IIS_WPG group from all domain controllers because they share the same account database.
To work around this problem, you must make sure that the domain Guest account has the correct attributes you need before you install IIS on any domain controller in your domain.
Make sure the IWAM_name of the domain controller account is part of the name of your domain\IIS_WPG group. If you have removed IIS from the domain controller, you must manually add the account back to the name of your domain\IIS_WPG group so the SMS 2003 Management Point can work correctly. To do this, follow these steps:
On a Windows Server 2003-based computer, the IIS Setup process creates three accounts. Two of the accounts are directly affected by the properties and attributes of the existing Guest account:
The IUSR_computer name account is the Internet Guest User account for anonymous Internet users. If the IUSR_computer name account is disabled, anonymous access fails.
The IIS_WPG group is the Worker Process Group. If it is disabled, IIS does not work correctly. If this group account is created on a domain controller, this group is shared by multiple IIS servers. Typically, the IWAM_name of the domain controller account is located in this group. Every domain controller that is running IIS 6 has an account in this group. The IIS_WPG group is not a copy of the Guest account.