The Network Policy Server Service (IAS) Fails to Start or be Installed

The Network Policy Server Service (IAS) Fails to Start or be Installed

  • Comments 8
  • Likes

[Today's post comes to us courtesy of Damian Leibaschoff and Wayne McIntyre]

We have seen some cases where the Network Policy Server service fails to start, when this happens, functionality provided by TS Gateway (used in RWW) or Routing and Remote Access (RRAS) will also stop working. Furthermore, we’ve also seen, that as part of the troubleshooting, partners are uninstalling the entire role, and when trying to re-install it fails.

How to identify you are experiencing this issue?

When starting the NPS service it fails with:

clip_image002

The following event is logged:

Log Name: System
Source: Service Control Manager
Date: 1/30/2009 11:36:35 AM
Event ID: 7023
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer:
Description:
The Network Policy Server service terminated with the following error:
Unspecified error

If you try to start RRAS you get:

Log Name:      System
Source:        Service Control Manager
Date:          2/16/2009 1:34:37 PM
Event ID:      7024
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:  
Description:
The Routing and Remote Access service terminated with service-specific error 16389 (0x4005).

If you try to re-install the Role service you get:

Network Policy and Access Services
Network Policy Server
Network Policy and Access Services: Installation failed
<Error>: Attempt to install Network Policy Server failed with error code
0x80070643. Fatal error during installation
The following role services were not installed:
Network Policy Server

In the servicing logs you see:

ServerManager.log
5316: 2009-01-29 12:06:25.902 [CBS] ...current state of 'IAS
NT Service': p: Staged, a: Staged, s: UninstallRequested
5316: 2009-01-29 12:06:25.902 [CBS] ...setting state of 'IAS
NT Service' to 'InstallRequested'
5316: 2009-01-29 12:06:25.919 [CBS] ...'IAS NT Service' :
applicability: Applicable
5316: 2009-01-29 12:07:05.658 [CbsUIHandler] Initiate:
5316: 2009-01-29 12:07:08.975 [InstallationProgressPage] Installing...
5316: 2009-01-29 12:08:54.092 [CbsUIHandler] Error: -2147023293 :
5316: 2009-01-29 12:08:54.093 [CbsUIHandler] Terminate:
5316: 2009-01-29 12:08:54.093 [CBS] Error (Id=0) Function:
'NativeMethods.GetPackageStatus(out status)' failed: 80070643 (-2147023293)
5316: 2009-01-29 12:08:54.094 [CBS] ...done installing 'IAS

NT Service '. Status: -2147023293 (80070643)
5316: 2009-01-29 12:08:54.094 [InstallationProgressPage] Verifying
installation...
5316: 2009-01-29 12:08:54.194 [Provider] Skipped configuration of
'NetworkPolicyServer' because install operation failed.
cbs.log
2009-01-29 12:07:27, Error CSI 00000001 (F) Logged
@2009/1/29:12:07:26.752 : [ml:96{48},l:94{47}]"Attempting to start service {IAS}
synchronously"
[gle=0x80004005]
2009-01-29 12:07:27, Error CSI 00000002 (F) Logged
@2009/1/29:12:07:27.753 : [ml:260{130},l:258{129}]"Service did not run. Current
state (3) Exit code (-2147467259) Service specific exit code (0) Check point (1)
Wait hint (300000) "

[gle=0x80004005]
2009-01-29 12:07:27, Error CSI 00000003@2009/1/29:12:07:27.864
(F) CMIADAPTER: Inner Error Message from AI HRESULT = E_FAIL
[
[19]"Unspecified error"
]
[gle=0x80004005]

The problem can happen when the NPS service tries to register it’s VSS writer and finds that it does not have enough rights to do so.

To resolve this:

  1. Check the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
    Verify that the setting for NT AUTHORITY\NETWORK SERVICE is set to 1. If this is set to 0 change it to 1.

    clip_image004

    clip_image006
  2. Open Task Manager, select Show Processes for all users, and kill any instances of IASHOST.EXE that might be running.

    clip_image008
  3. Start the NPS Service. (If it is not installed, re-install it at this point)

We are investigating why the value would be 0 instead of 1. At this time we have identified that uninstalling WSS 3.0 will cause the value to change to 0, there are other interactions that could lead to this value getting changed. We will update this post once we have more information.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
Comments
  • PingBack from http://www.ditii.com/2009/02/21/troubleshooting-network-policy-server-service-ias-fails-to-start-or-be-installed/

  • I am experiencing this exact problem - BUT the registry key discussed was set correctly...

    also discussed here:

    http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/a987cf99-7f7c-4bbc-b8fd-e262a61db1f9/

  • That was sweet, that solved my problem.  

    Must have something to do with WSS, because that is something we did.  We uninstalled WSS and reinstalled.

  • Worked like a charm! Thanks :)

    It was to do with the WSS uninstall.

  • Same problem here, but WSS is not installed, "NT AUTHORITY\NETWORK SERVICE" was already at "1", and iashost.exe is not running.

  • I can confirm that removing WSS 3.0 from the SBS 2008 server causes the specified registry value to go to 0 from 1.

    Also this is weird and needs to be fixed. On a clean installed SBS 2008 server, RDP starts working right after you see the "press ctrl + alt + del" screen. BUT after you remove wss 3.0 from the server, you CANNOT RDP into the server till about 6-7 minutes after you see the "press ctrl + alt + del" screen..

    I know this has to do with more changes WSS 3.0 does because the problem occurs immediately after WSS was removed.

    SBS team, please look into this problem and if you find a solution please post it here for all of us..

    Thanks!!

    Vinod Madabushi

  • I had the Same Problem but my registry key was already set to 1.  Disabling the WWW Publishing Service enable me to install it.

  • Thanks A LOT!!!!