Article ID: 832981 - View products that this article applies to.
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/dd450371.aspxFor more information about IIS 7.0, visit the following Microsoft Web site:
CrashOnAuditFailfeature is a registry key that can be set to make sure that all auditable events are recorded in the security event log. If an auditable event cannot be logged in the security event log, a stop error (STOP 0xC0000244) occurs. The stop error typically occurs because the security event log is full. After the stop error occurs, non-administrator accounts cannot access the Web sites, and Microsoft Internet Information Services (IIS) returns HTTP 500 error messages until the
CrashOnAuditFailkey is reset and the security event log is cleared.
When you access a Web site on the server, you receive one of the following error messages.
Error message 1
HTTP 500 - Internal Server Error
Error message 2
HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.
Error message 3
When friendly error messages are turned off in the browser, you may also receive the following error message:
The Local security authority cannot be contacted.
Logon failure: user not allowed to log on to this computer.
This problem occurs if the security event log has reached the maximum log size and the Event Log Wrapping setting is set to Overwrite Events Older than X Days or Do Not Overwrite Events. Because the security event log is full, and the
CrashOnAuditFailregistry key is set, Microsoft Windows does not permit accounts that are not administrator accounts to log on. When anonymous access is configured, requests to the Web site try to authenticate by using the IUSR_computername and IWAM_computername accounts. These accounts are not administrator accounts.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(https://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows
To resolve this issue, follow these steps:
CrashOnAuditFailregistry key provides an optional security feature that system administrators can use to review all security events. The valid values for the
CrashOnAuditFailkey are 0, 1, and 2. The data options are:
Note None of the following methods alone resolves the issue. You must follow the steps in the "Resolution" section before you use one of these methods.
For additional information about using the CrashOnAuditFail security feature, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(https://support.microsoft.com/kb/140058/ )How to prevent auditable activities when security log is full
(https://support.microsoft.com/kb/232564/ )STOP 0xC0000244 when security log full
Article ID: 832981 - Last Review: October 10, 2012 - Revision: 5.0