Sometimes, when accessing the Discovery Center web interface, users might encounter a browser error message stating "HTTP Error 503. The service is unavailable." When monitoring IIS Manager, you will notice that the Application Pool is stopped and continues to stop when attempting to restart and access the web interface. Windows Event Viewer will normally contain errors logged by IIS/ASP.Net pointing to a failure to log in successfully.
This error is caused by an issue with the chosen user account which is configured for the IIS application pool.
Aside from reviewing the account status, each element below is normally configured automatically by IIS. We have encountered some systems where locally specified group policy settings have prevented this configuration from occurring, particularly where the IIS_IUSRS group and IUSR user has been disabled.
Resolution
Check account status
The most common cause of this issue is a problem with the chosen service account, especially if Discovery Center has been running successfully for some time.
The first steps should be to confirm that the account is not locked out, the password has not expired, and the correct password is configured in IIS.
Add service account to IIS_IUSRS group
Membership of the IIS_IUSRS group and the configuring of application pool identity key rights are normally set by IIS as a dynamic part of the operation of IIS.
If you encounter the 503 error and have determined that the service account is healthy and the password is correct, the next step is to add the service account to the IIS_IUSRS group as described below:
- On the application server, open Computer Management.
- Expand 'System Tools' > 'Local Users and Groups' > 'Groups'.
- Right-click the IIS_IUSRS group, then select Properties.
- Add the web application service account to the group.
- Recycle the Active Navigation application pool within IIS Manager
- Refresh the Discovery Center web interface.
Configure log on rights for the service account
In order to initialize the application pool, the service account requires specific logon rights. These are normally acquired through membership of the IIS_USRS group similar to the section above. If previous steps have not succeeded in addressing the error, these rights can be explicitly granted to the service account.
- On the application server, open Local Security Policy.
- Expand 'Local Policies' and select 'User Rights Assignment'.
- Double-click the 'Log on as a service' policy
- Add the web application service account if it is not listed.
- Double-click the 'Log on as a batch job' policy
- Add the web application service account if it is not listed.
- Double-click the 'Impersonate a client after authentication' policy
- Add the web application service account if it is not listed.
- Double-click the 'Deny log on as a service' policy and verify that the service account is not listed. If the account is listed then remove it.
- Double-click the 'Deny log on as a batch job' policy and verify that the service account is not listed. If the account is listed then remove it.
- Recycle the Active Navigation application pool within IIS Manager.
- Refresh the Discovery Center web interface.
Validate service account Temp directory access
Typically the execution of ASP.Net applications utilizes the system temporary directory, but the lack of permission to this location may cause the application to generate a 503 error.
Confirm the Discovery Center application pool service account permissions to the 'C:\Windows\Temp' location as described below:
- On the application server, navigate to C:\WINDOWS\Temp.
- Right-click the Temp folder and open Properties.
- Select the Security tab and confirm that the service account, or any security group which it is a member of, has Full Control permissions. If not, add Full Control permissions to the service account on this folder.
- Recycle the Active Navigation application pool in IIS Manage.
- Refresh the Discovery Center web interface.