Ï have WSS 3.0 installed on a single server (SQL is installed in the same box). Since we have a new application running on a different box that needs Sharepoint installed on the same machine, I've decided to install a web frontend on this second machine to access a specific sharepoint web site. When I try to access this web site through the new WFE I get the message "Cannot connect to the configuration database." In the Application Event Log I get the message "SQL database login failed. Additional error information from SQL Server is included below. Login failed for user 'DOMAIN\SERVER$'." (ID 3351). Again, this happens in the second server, on the original WSS server the web site runs ok. I see that the site's Application Pool runs under "Network Service" and I suppose that's the reason. I guess that App Pool has to run under a domain account. I such a case, my question is: what privileges do I have to give that account ant to which WSS databases? Thanks

Hi Ghechem, Can you confirm whether the WSS 3.0 setup a farm installation or a single server installation with SQL express? Thanks!BlueSky2010

The first server was installed as single server, but using a full SQL which had been previously installed (no SQL express). The second one was (obviously) installed as a WFE added to an existing farm.

Ghechem, The application pool account mush have standard rights in order to run the application pool with read and write access to sql server. The following rights are required by application pool identity. Must of a member of IIS_WPG, SPS_WPG and STS_WPG Must be a db_owner on the databases: configuration database, SSP database, site collection database When you say"Installed WFE", do you mean "adding a new server to farm"? How did you add the new server to the farm? The farm in this case is a single server. Did you run sharepoint technologies wizard? If the website was running properly before you added new server to the farm, it might be because of the service account that might have switched to network service from the actual service account. You could check by navigating to IIS, right click the application pool and click on properties. This would display the account the application pool is running. Try to switch it to the other account, instead of network service and see if it runs. Hope this helps. V

OK, I'll try to clarify. The first server was installed as stand-alone. Application Pools always ran under Network Service (they still do). I then installed the Web Front End on the second server. The wizard automatically created on the second servers' IIS the same web sites that existed on the first's, with the same security configuration. To summarize, on both servers the App Pools run under Network Service. The web site works fine on the first one (the one which also runs SQL), but not on the second one.

I would suggest you to create a new service account with the above permissions. Assign the account to the application pools. You can change the service account by navigating to Central administration -> operations -> services accounts.V

Ok, I already did that. The site for which I changed the app pool's account is now prompting for credentials when I try to browse it. In the server's Securty Event Viewer I "failure audit" events (ID 529 related to Kerberos). Some problem with SPN perhaps?

Is the account a member member of IIS_WPG, SPS_WPG and STS_WPG? Also, is the machine in the domain? If the above two look fine, might be an SPN issue. Take a look at this article. http://littletalk.wordpress.com/2010/02/24/kerberos-lesson/ V