Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 2266 Source: W3SVC-WP

Source
Level
Description
The account that the current worker process is running under does not have SeTcbPrivilege, password sync feature and old Digest feature are being disabled.
Comments
 
Check to see if the anonymous user is locked or disabled. If it is, unlock it. We've seen this on a development system, and unlocking the Anonymous user fixed the issue.
From a newsgroup post: "SeTcbPrivilege is equivalent to "Act as part of the operation system". This error means that one of your application pools is running as an account that does not have this right. On Exchange, the DefaultAppPool and the ExchangeMobileBrowseApplicationPool both run under the well known account Network Service, while the ExchangeApplicationPool runs under Local System. Both accounts should have this right by default. It is likely that the identity that an application pool is running under is not one of these two. To check, open Internet Services Manager, and browse until you see Application Pools. Pull up properties of each of these listed and check the account on the identity tab. If it’s not the ones listed above then change it".

From a newsgroup post: "The account that the current worker process is running under, does not have the “SeTcbPrivilege” privilege; the anonymous password sync feature and the Digest authentication feature are disabled. This can be caused by some entries in the metabase that are incorrect or by an incorrect identity setting.

1. First, check to make sure the Default Application pool in IIS is using the correct Security Account to logon by following these steps:
A. Go to Start, Programs, Administrative Tools and double click on Internet Information Services Manager.
B. Expand your server name.
C. Expand Application Pools.
D. Right click on the DefaultAppPool and go to Properties.
E. Click on the Identity tab and make sure the radio button "Predefined" is marked and the account listed in the drop down box is "Network Service". If it is not, change it and stop and start IIS, then check the event logs for the error. If it is, go to step 2.

2. Go to the “C:\Windows\System32\Inetsrv” directory. Right click on the “metabase.xml” file and click on Edit. This will open the file in Notepad.
A. Search for "AnonymousPasswordSync". Set any instance you find of this to “False”.
B. Search for "UseDigestSSP". For any instance you find of this set it to “True”. Save the event logs and clear them, then reboot the server and check to see if the Event ID 2266 error reappears.

Note: To be able to open the “metabase.xml” in notepad and be able to save the changes, you will need to open Start/Administrative Tools/Internet Information Services (IIS) Manager then right click on the server name and select Properties. Check the box for Enable Direct Metabase Edit and then click on OK. After you are finished making any changes to the metabase I would recommend that you go back and uncheck the setting. Also, I would suggest before making any changes to the metabase that while you are in the IIS MMC that you right click on the server and select All Task/Backup/Restore Configuration and make a backup of the metabase before opening it in Notepad".

See "Trend Micro Support Solution ID: 1028564" for additional information on this event.
In my case, this error was due to broken SQL connection from ASPX page. After I fixed the SQL connection (correct password, dbo, etc), the error was gone.
See ME899300 for information about this event.
This was a problem for us after we upgraded a Win2k Server and IIS5 site.
From a newsgroup post: “The issue may also occur if the Web sites are updated from IIS 5. In IIS 5, there is an "allow IIS to control the password" box for anonymous account setting. While it is enabled, even if we manually change the anonymous account (IUSR)'s password, IIS will automatically synchronize the new password to make the anonymous access still workable. We call this Sub-Authentication.
For some security concerns, the feature is now disabled by default in IIS 6 and you will see there is no longer an "allow IIS to control password" box. However, for a site upgraded from IIS 5, the corresponding metabase setting to this feature may be retained as: AnonymousPasswordSync true. In this case, to make Sub-Authentication work again on IIS6, we need set the Application Pool to run under the SYSTEM account. All the details are listed in ME332167. You can follow the steps to have sub-authentication come back, or use Metabase Explorer (more convenient and clear than adsutil.vbs) to manually edit your metabase to disable AnonymousPasswordSync. Metabase Explorer is available in IIS 6 resource kit tools.
NOTE: AnonymousPasswordSync can be either a global setting to whole web server(/LM/W3SVC) or a local setting to site(/LM/W3SVC/n) or virtual directory (/LM/W3SVC/n/ROOT/virtual_directory_name). A local setting always overwrites global settings. Therefore, you first need to find where the problem occurs.
See the link to “AnonymousPasswordSync Metabase Property (IIS 6.0)” to find out where you can configure this property in the IIS metabase.

Note that we should run "iisreset" to take effect if we make any changes in either IIS Management or the IIS metabase.


Most probably, you have problems with the OWA password functionality. See ME833734 for a hotfix applicable to Microsoft Internet Information Services 6.0.

ME332167 provides information on how to configure IIS to control the Anonymous password. To check your IIS see the Authentication and Access Control Diagnostics 1.0 (AuthDiag) link.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...