SharePoint (and Project Server) Shenanigans

Recently I was asked to look at SharePoint 2007 install that was throwing 6641 “Logon failure: the user has not been granted the requested logon type at this computer” errors every few minutes and filling up the Application log.

We went through he normal steps of checking the service and SSP accounts, we did find that the Office Search Service had hung, but this wasn’t the problem, we checked various blogs on the web that seemed to point towards Kerberos being the problem, but this particular farm was only using NTLM. Thinking about the error “the user has not been granted the logon type at this computer”, got me thinking about logon types and failures, so a look in the Security  log turned up these errors that were coinciding with the 6641’s in the Application log.

Logon type 4 is a Batch logon, the farm account was calling this but the User Name called was for a secondary SSP that we didn’t think was used. The best way to fix this would be to give the secondary SSP account the ‘Logon as a batch Job’ right via local security policy, so preserving the principle of least rights for a service account, unfortunately we couldn’t do this so a temporary measure we added the secondary SSP account to the local admins group and the 6641 errors immediately stopped.

An unfortunate side effect of the above that that we started getting the IIS WAMREG DCOM activation errors in the System event log while not a problem in itself we fixed those as well, steps outlined here for Windows 2003 / WSS 3.0 (as this system was), just make sure ALL your accounts are in the WSS_WPG group.

Once those steps were taken all 3 event logs were error free.