最近一个朋友和我说他公司的SharePoint 2010服务器挂了,SharePoint 2010的CA和Site都打不开,页面上报的error message是“Service Unavailable”。我当时一听也没有多想就说“肯定是你们的IT管理员把IIS中Application Pool里面SharePoint使用的用户的密码给改了,重新设置一下就行了。”,谁知道这个方法他们已经试过了,而且用户名和密码是正确的,重新设置后还是报“Service Unavailable”。我就觉得非常奇怪,怎么回事呢?我和朋友remote上了SharePoint的服务器,在windows event log中找到了WAS(Windows Process Activation Service) 报的错误(图1)“The identity of application pool SecurityTokenServiceApplicationPool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. ......”
图1
这时候觉得是不是Application Pool中的用户的Local Security Policy的“Log on as Batch Job”权限丢了,导致了SharePoint 2010出现了“Service Unavailable”。马上与Administrator联系,查看果然SharePoint的帐号没有了“Log on as Batch Job”的权限(运行secpol.msc命令来进行查看,见图2),按照如下步骤添加,SharePoint 2010的服务器恢复正常。
图2
1. Start>Run gpmc.msc - edit
2. Select Forest>Domains>Domain Name> Domain Controller
3. Right click on "Default Domain Policy" and choose edit
4. Next Edit
Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>User Rights assignment
5. Add user or group to "Log on as Batch Job"
Check group membership of service account (in Active Directory) if a particular group is being used for this purpose.
6. From the command prompt run "gpupdate /force"