PRB: Addition of New Application Center Member Fails When Anonymous Password Violates Password Policy (279148)

SYMPTOMS

When you add a new member to an Application Center 2000 cluster, the attempt fails with the following error message:

0x800708c5 - The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.

The following success events are logged in the security log of the server that is being added

Event ID: 624
       Type: Success Audit
Description: User Account Created:
             New Account Name: %1       New Domain: %2
             New Account ID: %3         Caller User Name: %4
             Caller Domain: %5          Caller Logon ID: %6
             Privileges %7

Event ID: 630
       Type: Success Audit
Description: User Account Deleted:
             Target Account Name: %1    Target Domain: %2
             Target Account ID: %3      Caller User Name: %4
             Caller Domain: %5          Caller Logon ID: %6
             Privileges: %7

where %1 is replaced with the Microsoft Internet Information Server (IIS) default anonymous account, usually IUSR_<Cluster Controller name>.

RESOLUTION

You must manually change the password for the cluster controller's default IIS anonymous access account. Microsoft recommends that this password be fifteen characters long with a mixture of capital and lower-case letters, numerals, or punctuation. In instances where a custom Passfilt.dll password filter is being used, the password requirements may be more stringent.

The password must be changed in both the Local Users and Groups MMC snap-in and in the Master Properties of the WWW Service.

To change the password for the WWW Service:

From the Internet Information Services MMC snap-in, right-click the server name, and then click Properties.
From the Master Properties pull-down list, click WWW Service, and then click Edit.
Click the Directory Security tab, and then click Edit to edit the anonymous access and authentication settings.
Click Edit Account (for anonymous access).
Clear the Allow IIS to control password check box.
Enter the new password. The new password must match the password that was entered in Local Users and Groups MMC snap-in.

After the password has been changed in both locations, the new member should be able to join the cluster without error. Once the member is added, IIS can again be configured to control the anonymous account password.

MORE INFORMATION

If the default anonymous user account is a local account on the cluster controller, then the Add Member Wizard will attempt to create a local account with the same name and password on the new member server. The initial default anonymous account, IUSR_MACHINENAME, is a local account with a non-expiring password that was created when IIS was installed on the cluster controller with a randomly generated password. If the cluster controller was not a member of a domain when this account was created, or if the local or domain password requirements changed after the default account was created, you may see the error that is noted in the "Symptoms" section when you try to add a new member to the cluster.

You can reproduce this error as follows:

Create a single-node cluster on a server that is a workgroup member and a local account for the IIS default anonymous account.
Manually set the default anonymous account password to a value that is illegal for your domain.
Join the cluster master to your domain.
Attempt to add another domain member server to your cluster.

REFERENCES

For additional information, click the article number below to view the article in the Microsoft Knowledge Base: