SYMPTOMS
After you apply the Group Policy templates that are described in the
Security Operations Guide for Windows 2000, when a Microsoft Outlook Web Access (OWA) user tries to log on to Microsoft Exchange Server 2003, that user receives the following error message:
The page cannot be displayed
There is a problem with the page you are trying to reach and it cannot be displayed.
Please try the following:
- Open the Web site name home page, and then look for links to the information you want.
- Click the Refresh button, or try again later.
HTTP 500 - Internal server error
Internet Information ServicesAdditionally, the following event appears in the security log in Event Viewer on the active cluster node:Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date:
dateTime:
timeUser:
S-1-5-21-1292428093-2111687655-839522115-21305Computer:
clusternodeADescription:
Object Open:
Object Server: SC Manager
Object Type: SERVICE OBJECT
Object Name: ClusSvc
Handle ID: -
Operation ID: {0,19279754}
Process ID: 320 [this is services.exe]
Primary User Name:
clusternodeA$
Primary Domain:
contoso.comPrimary Logon ID: (0x0,0x3E7)
Client User Name:
owa-usernameClient Domain:
contoso.comClient Logon ID: (
0x0,0x1260FEE)
Accesses: READ_CONTROL
Query service configuration information
Query status of service
Enumerate dependencies of service
Query information from service
Access
RESOLUTION
To resolve this issue, modify the Group Policy object that you used to apply the Group Policy templates from the
Security Operations Guide for Windows 2000 to give the OWA users Read access to the Cluster Service. To do this, follow these steps:
- Log on to a domain controller, and then start the Active Directory Users and Computers snap-in.
- Right-click the domain or the organizational unit where your server cluster is located, and then click Properties.
- Click the Group Policy object that you used to apply the security settings from the Security Operations Guide for Windows 2000, and then click Edit.
- Expand Computer Configuration, expand Windows Settings, expand Security Settings, and then click System Services.
- In the right pane, double-click ClusSvc.
- Click Edit Security, and then click Add.
- Depending on your environment and depending on your security considerations, add the OWA users, and then click OK.
For example, you may want to add one of the following security groups:- Authenticated Users
- Domain Users
- Everyone
- In the Name list, click the security group that you added, click to clear all the check boxes in the Allow column of the Permissions box, and then click to select the Read check box in the Allow column.
- Click OK, and then click OK.
- Exit the Group Policy tool, click Apply, and then click OK.
- Restart the cluster node computers, or manually update Group Policy on each cluster node.
To manually update Group Policy, run the following command on each cluster node: secedit /refreshpolicy machine_policy