Lost access to Central Administration Page
After trying to troubleshoot why all the e-mail alerts stopped working, I ran the best
practices analayzer and ran the commands it suggested the paragraph below.
"The same account that you use to run SharePoint 3.0 Central Administration
must be configured as the SharePoint Timer Service. If they are not the same,
the system may not be able to send Alert Notifications and you will not be
able to add a content database to a web application using the Manage Content
Databases page. Although there are built in mechanisms to keep these accounts
synchronized, it is possible to manually change the SharePoint Timer Service
account. If the account that you are using to run SharePoint 3.0 Central
Administration is the correct account, you can log on to the Web server where
the SharePoint Timer Service running as the wrong account. From a command
prompt change to the directory where the SharePoint Timer Service is running,
this is typically C:\Program Files\Common Files\Microsoft Shared\web server
extensions\12\BIN, and run the command: stsadm -o updatefarmcredentials
-identitytype configurableid -userlogin domain\account -password password.
Although you could directly update the SharePoint Time Server account by
opening Administrative Tools, Component Services, you should use this
approach only as a last resort. To avoid inconsistencies between the
configuration database settings and what the accounts for the services,
changes to SharePoint service accounts must be completed through SharePoint
3.0 Central Administration."
I am now no longer able to login to Central Administration with a domain
account (even domain administrator accounts).
I figured out that I can still login to Central Administration using the server's
local administrator account, so I have done that.
When I go into Update Farm Administrator Accounts, I see the accounts there
including one domain account that was deleted from the domain but cannot be
removed from Farm Administrators.
It says Error 1387 when I attempt to delete it.
How can this be fixed?
June 17th, 2009 12:14am
Please run following command stsadm -o updatefarmcredentials -userlogin DomainName \UserName -password NewPassword Where DomainName \UserName is the account from you active directory Refer: ==== How to change service accounts and service account passwords in SharePoint Server 2007 and in Windows SharePoint Services 3.0 http://support.microsoft.com/kb/934838 Visit: http://yagyashree.wordpress.com
MCP & MCTS [WSS 3.0/MOSS]
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2009 12:20am
I justtried those commandand restarted IIS and it just keeps prompting me to reenter theredentials when I try to use the account to access Central Administration.Do I have to manually assign this account special priviliges?Only local administrator works.
June 17th, 2009 12:28am
please check if you account is locked out in Active directory and let me know.Visit: http://yagyashree.wordpress.com
MCP & MCTS [WSS 3.0/MOSS]
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2009 12:36am
It is not locked.It is a new domain user account and I added it as a local admin on the WSS server.Do I need to use a domain admin account or do I need to give it special premissions on the WSS server?
June 17th, 2009 12:44am
you have to make sure the user is present in following groups: Administrators IIS_WPG WSS_ADMIN_WPG WSS_RESTRCITED_WPG WSS_WPG Make sure user is added in SQL server with following roles: dbcreator securityadminVisit: http://yagyashree.wordpress.com
MCP & MCTS [WSS 3.0/MOSS]
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2009 1:30am
There is no SQL Server. It is is using the included standarddatabase.I don't see how to add it to those groups other than administrators and iis_wpg from active directory memberships.How do you do this?
June 17th, 2009 1:48am
I found the groups on the local machine(except SQL). The account already was a member of all the groups except WSS_WPG. I added it to that group and it still cannot log in to Central Administration.Is there some other SQL permission needed?Why do I need to add all these permissions manually?
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2009 1:54am
Try this: Open the central admin and provide the user name/password every time it prompts for it. It will give you error after some interval. paste there error here.Visit: http://yagyashree.wordpress.com
MCP & MCTS [WSS 3.0/MOSS]
June 17th, 2009 2:37am
You are not authorized to view this page
You do not have permission to view this directory or page using the credentials that you supplied.
Please try the following:
Contact the Web site administrator if you believe you should be able to view this directory or page.
Click the Refresh button to try again with different credentials.
HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.Internet Information Services (IIS)
Technical Information (for support personnel)
Go to Microsoft Product Support Services and perform a title search for the words HTTP and 401.
Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for topics titled Authentication, Access Control, and About Custom Error Messages.
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2009 2:42am
open the central admin using local account go to "application management--authentication providers" choose the web application name on the right hand site as "SharePoint central administration" Let me know what you see at "Integrated Windows authentication" Kerberos NTLMVisit: http://yagyashree.wordpress.com
MCP & MCTS [WSS 3.0/MOSS]
June 17th, 2009 3:01am
You might want to try what is on this thread:http://social.msdn.microsoft.com/Forums/en-US/sharepointadmin/thread/50dcdb53-2d46-4efa-a5e2-a1bed04e0496It could be the zone settings of the browserand/or the look back check issue.SharePoint's green status ball of doom...
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2009 3:03am
Negotiate (Kerberos)
June 17th, 2009 3:05am
Negotiate (Kerberos)
there you go we just found your problem change it to NTLM and save the changes you are all set. cheersVisit: http://yagyashree.wordpress.com
MCP & MCTS [WSS 3.0/MOSS]
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2009 3:44am
Did it worked. please update.Visit: http://yagyashree.wordpress.com
MCP & MCTS [WSS 3.0/MOSS]
June 17th, 2009 4:12am
Negotiate (Kerberos)
Was it originally configured for Kerberos and working fine before this problem began?SharePoint Architect || My Blog
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2009 5:46am
I am not in the office now, so I won't be able to test changingthe settinguntil tomorrow.It was working fine with this setting before, so I don't understand why I should need to change it now.The things that have changed before the problem startedare:My domain admin user password changedThe timer service servicesaccount was changed from Network Service to a dedicated domain user account.I ran the commands recommended by the Sharepoint Best Practices tool (listed in the first message at the top of the page).
June 17th, 2009 5:59am
Changing to NTLM would just be a quick test to be sure your other accounts are ok. Once you confirm that, then you can go about the steps to get Kerberos working again. Service account passwords changing isa huge pain in the butt, especially if it's your farm account, which would likely be the app pool account for Central Admin that must be configured via SPN for Kerberos to work...SharePoint Architect || My Blog
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2009 6:04am
What about changing the sharepointtimer service back to network service? Would that help?I'm not sure how to do that since I don't know what the password is.
June 17th, 2009 7:10am
It should be a domain account and should have been so from day one. It should be the same service account that is your farm account (database access account).SharePoint Architect || My Blog
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2009 7:12am
I changed it to NTLM and ran iisreset and I still cannot log in to Central Administration with any other account other than the local administrator.
June 17th, 2009 6:19pm
Do you get the same 401.1 error after 3 attempts? Did you check AD again to ensure those accounts are not locked out? Can you log in to anything else with those accounts?SharePoint Architect || My Blog
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2009 6:37pm
Yes it is the same error and no, the accounts arenot locked out.One of the accounts I tried is the account I logged in to the serverwith and it is a domain admin account.
June 17th, 2009 6:51pm
what about you other sharepoint sites? are you able to login into them? What kind of authentication they have? let us know.Visit: http://yagyashree.wordpress.com
MCP & MCTS [WSS 3.0/MOSS]
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2009 6:56pm
I can log in to everything except central administration.There is only one wss server in the farm. I don't knowwhat you mean by "other sharepoint sites"I can't find anywhere else to change authentication for other sites.
June 17th, 2009 7:07pm
Other sites meaning your actual content site collections. Each web application has its own authentication provider. Did you verify that you were specifcying the Central Admin web app when you switched auth to NTLM? It shows the name of the web app in the top right-hand corner, and it doesn't always default to what you want. Verify that the Central Admin web app is set to NTLM. Then, switch to your other web apps (SSP, MySite, Content/Intranet), and see how they are all set.SharePoint Architect || My Blog
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2009 7:16pm
It had defaulted to the main site rather than central administratin when I changed it to NTLM bfore.I just changed the drop down menu to central admin and tried again to change central admin to NTLM.As soon as I did that, the page went away and I now get "THE PAGE CANNOT BE DISPLAYED"I can't get into central admin at all now because there is no longer a user login prompt.I did iisreset and it didn't help.
June 17th, 2009 7:26pm
You can't get in with any account now? That would not make any sense after switching to NTLM. YOu did an IISRESET, but can you confirm that the app pool and IIS site are running? Also check the WSS Admin and Timer services to be sure they are running. Then, check the Event logs.SharePoint Architect || My Blog
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2009 7:29pm
Yes.The sharepoint site is still up and running, but Central Adminbecame completely unaccessible as soon as I changed it to NTLM.As soon as Iclickedthe button to make the change and then when I click on the Central Admin shortcut, the browser opens and says:
The page cannot be displayed
The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.
There is no log in prompt to Central Administrationany more, so you cannot enter any credentials
June 17th, 2009 7:36pm
I don't see how it could be running if you get that message. You refer to "the sharepoint site," but SharePoint consists of many sites and multiple IIS sites + multiple app pools. Central Admin is a different app pool and different IIS site than the rest of your SharePoint environment. Did you confirm that the exact Central Admin IIS site, APP pool, and services are running? I'm just not confident after the previous mistake with authentication providers that you did a comprehensive check of each piece as it relates to Central Admin.SharePoint Architect || My Blog
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2009 7:40pm
By the sharepoint site, I mean the actual site that we use for the content hosted on itas opposed to the central administration site that has had the problem for the last day.I went to IIS and looked under Application Pools and they are all running includingSharepointCentral Administration v3(Start is greyed out when you right click).I tried restarting IIS and it doesn't make central administration accessible.I looked in the event log and there is this error:Event Source:Windows SharePoint Services 3 SearchEvent Category:Gatherer Event ID:2424The update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again.
Context: Application 'Search', Catalog 'index file on the search server Search'
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
June 17th, 2009 7:50pm
this is no longer fixed by just replying via post. i will recommend that you open a support ticket with Microsoft. US Toll free: 800-936-4900Visit: http://yagyashree.wordpress.com
MCP & MCTS [WSS 3.0/MOSS]
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2009 7:56pm
Ok, but did you check the central admin IIS site. Each app pool has one more sites. Click on IIS sites, and it will show the full list of sites and their status. Ensure it says "Running." in that column.Then, go to Admin Tools > Services, and be sure the WSS Admin Service and WSS Timer Service are running properly.SharePoint Architect || My Blog
June 17th, 2009 7:58pm
I went thereand all sites are listed running.I noticed it doesn'tlist theSSL port I was using a few minutes before(8531). This is built into the Cenral Administration shortcut. It only says port 31372 and no sslI added the TCPport 8531 for SSLand now I can log in with local administrator account again and we are back to the way it was an hour ago.This is very strange that it was working with these settings before.
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2009 8:46pm
Ok, I just tried it again and now the domain account works for login to Central Administration also.
June 17th, 2009 8:48pm
I spoke to soon. I logged in withthe domain account but it says "Welcome System Account" instead of the user id I logged in with.
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2009 8:51pm
Ok, I just tried it again and now the domain account works for login to Central Administration also.
Good, that's what I expected. So, you are fine now, but if you want to get Kerberos working for Central Admin, it will be some work, especially if you didn't initially set it up. It's very complicated, but we can get it going if you want. However, I'm not sure there is a lot of reason to use Kerberos on that web app (unlike your content web apps).Remember to go back and change your content web app back to Negotiate, though...SharePoint Architect || My Blog
June 17th, 2009 8:52pm
I went to change the content webback it to Negotiate and itpopped upa warning saying "You have chosen to use Kerberos with Integrated Windows Authentication. Manual configuration steps by a Domain administrator will be required if the application pools security account is not Network Service"What is this about? I am not sure that the application pools security account is Network Service.I'd hate change it and have it become inaccessable to all the users.
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2009 9:03pm
It's referring to the fact that for Kerberos to work, youhave to have a domain account (service account) as the app pool identity for that site's app pool. Additionally, the SPNs need to be set for that account relative to that URL and that server. This would all have been done when the system was first setup for Kerberos. Your app pool should definitely NOT be Network Service. Kerberos was working before you switched to NTLM, so it should continue to work. If it doesn't, then you could switch back to NTLM. If you want to wait and change this back after hours, then that would not be a bad idea.SharePoint Architect || My Blog
June 17th, 2009 9:07pm
It seems to be working. The warning didn't pop up until the change was alreadydone and there was no option to cancel.Do you know what it means when says "Welcome System Account" instead your login ID on thetop right of the page?
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2009 9:22pm
It means you're using the farm account or whatever account was used initially to create central admin.SharePoint Architect || My Blog
June 17th, 2009 9:26pm
OK, it looks like everything that can be done with this is done.Thanks.
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2009 9:47pm
Thanks for the Answer credit.SharePoint Architect || My Blog
June 17th, 2009 9:51pm
Read through all of this thread, and still can't understand what solution worked.
I also got the situation, that the Central Administration website is only accessible by the local administrator of the machine, but not by the domain admin, who installed the Sharepoint, or even the Farm Account, which has been established later.
Free Windows Admin Tool Kit Click here and download it now
September 13th, 2010 12:08pm
I lose the central administration from iis how i can fix that?
May 24th, 2011 6:47am