SharePoint 2010: HTTP Error 503 – Service Unavailable.

KBID

EXP-INC-00003

Title

HTTP Error 503. Service Unavailable

Introduction

When you are working with SharePoint 2010 or SharePoint 2013 environments you probably have seen the HTTP Error 503. Service Unavailable error at some point. This error can have several causes, when you use your favourite search engine you can find a lot of articles on this subject.

Some common causes can be:

  • a disabled application pool
  • an invalid identity for a application pool because of an expired password.

This article describes how I ran into an issue with a group policy that caused a HTTP Error 503.

Symptoms

When you navigate to a SharePoint 2010 site you get an error:
HTTP Error 503. Service Unavailable

HTTP Error 503. Service Unavailable

Steps to Reproduce

1. Navigate to your SharePoint 2010 site

Cause

In my case this error was caused by a removal of Log on as a batch permissions of the Application Pool account on one of the Application servers in a SharePoint 2010 farm. The application pool account of your web application needs this permission on the server where it is running, you can also check out Corey Roth his blogpost on this topic, Corey’s Guide to SharePoint Service Accounts.

When navigating to the System Log on one of the servers in the SharePoint 2010 farm I saw an event of the Windows Process Activation Service (WAS) source with ID 5021:
The identity of application pool ‘yourapplicationpoolname’ is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.

System Log - WAS event id 5021
After finding the 5021 event I wanted to check what my Application Pool Identity was. You can check what the identity of your application pool is via the Application Pools view in Internet Information Service (IIS) Manager.

IIS - Application Pool Identity

When you established what your Application Pool identity is you can open the Local Security Policy Editor on the same server. You can also use run and type secpol.msc to fire it up. Check what the Security Setting is for the Log on as a batch job policy.

In my case a custom policy was set which had overwritten the default settings. The result was that the Log on as batch job permissions of the application pool Identity were removed.

Local Security Policy Editor - Log on as a batch job

Applies to

SharePoint 2010, SharePoint 2013

Workaround

Not Applicable

Solution

Add the Application Pool Identity account the Log on as a batch job group policy or give the account permissions via a local policy on the server if you are not using group policies.

References

Dot Net Mafia – Corey’s Guide to SharePoint Service Accounts
Technet – Account permissions and security settings in SharePoint 2013
Technet – Event ID 5021

You may also like...

1 Response

  1. Johan says:

    Nice article

Leave a Reply

Your email address will not be published. Required fields are marked *