INFO: CMS 2001: Issues with Content Management Server Security Rollup Package (327718)


The information in this article applies to:

  • Microsoft Content Management Server 2001
This article was previously published under Q327718

SUMMARY

This article describes troubleshooting steps to take if you experience problems with your Content Management Server (CMS) installation after you apply the security rollup package (SRP).

MORE INFORMATION

To tighten system security, the CMS Security Rollup Package (SRP) enforces rigid conformance with the Microsoft Windows NT security model. Before you installed the SRP, CMS did not enforce some of these requirements. As a result of the changes made to components in the SRP, and the focus on increasing security enforcement in the SRP, CMS installations that do not fully comply with the Windows NT security model do not work, although CMS worked before you installed the SRP. This is not the result of problems with the SRP. It is the result of more rigid (NT security model) enforcement.

If you experience problems with your Content Management Server (CMS) installation, follow these steps:
  1. Stop the IISAdmin service and the AESECURITYSERVICE. When you initially install the SRP, some dependent services may not stop. For the installation to continue, stop the IISAdmin service (this stops all requests to the Web server), and then stop AESECURITYSERVICE. Both services must be stopped, and Microsoft recommends that you stop them before you try to install the SRP.

    To stop these services:

    1. To stop IISAdmin, at a command prompt, type NET STOP IISADMIN /y.
    2. After the IISAdmin service stops, at a command prompt, type NET STOP AESECURITYSERVICE.
  2. Make sure that your CMS system account has rights on the domain. To provide more consistent authentication, CMS now impersonates the CMS system account that is specified in the installation (or that is specified later in the Server Configuration Application [SCA]) for connecting to the domain controller and SQL. If, for some reason, this user does not have the correct permissions, CMS does not work. Make sure that the account that CMS uses is a domain account and is a member of Domain Users so that the account has the right to enumerate all user groups and members.

    To test whether your CMS system account has rights on the domain, at a command prompt, type NET USER CMS Sytem account /DOMAIN. This shows the information for the account as defined by the domain controller, including the group memberships for the account.

  3. Make sure that you are not using a domain local group on a Microsoft Windows 2000 mixed mode domain. Domain local groups, which are introduced with Microsoft Windows 2000 domains, no longer work on CMS if you are using a Microsoft Windows NT 4.0 or Windows 2000 mixed mode domain. In Windows NT 4.0, these groups are local groups on the domain controller. According to the Windows NT security model, these are not supposed to work off the domain controller in Windows NT 4.0, or Windows 2000 mixed mode domains.

  4. If you are using Lightweight Directory Access Protocol (LDAP), make sure that the CMS System account is a member of a Windows 2000 domain. Windows NT 4.0 domain users do not have enough permissions to access all the information that CMS must have to authenticate the user.

REFERENCES

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

326075 MS02-041: Microsoft Content Management Server 2001 Security Update

Modification Type:MajorLast Reviewed:9/5/2002
Keywords:kbinfo KB327718
©2002 Microsoft Corporation. All rights reserved.