IIS Error: DCOM - HTTP500

WARNING:  I came across this issue with one of my IIS Web Servers but I didn't provide the solution.  Here is some notes from the person who did.

Error

Solution

Comments in synciwam.vbs

'''''''''''''''''''''''''''''''''''''''''''''
'
' IWAM account synchronization utility
'
'''''''''''''''''''''''''''''''''''''''''''''

' Description:
' ------------
' This admin script allows you to update the launching identity of
' all IIS COM+ application packages that run out of process.
'
' There are certain operations that may cause the IWAM account, which
' is the identity under which out of process IIS applications run, to
' become out of sync between the COM+ data store and IIS or the SAM.
' On IIS startup the account information stored in the IIS Metabase
' is synchronized with the local SAM, but the COM+ applications will
' not automatically be updated. The result of this is that requests
' to out of process applications will fail.
'
' When this happens, the following events are written to the system
' event log:
'
' Event ID: 10004 Source: DCOM
' DCOM got error "Logon failure: unknown user name or bad password. "
' and was unable to logon .\IWAM_MYSERVER in order to run the server:
' {1FD7A201-0823-479C-9A4B-2C6128585168}
'
' Event ID: 36 Source: W3SVC
' The server failed to load application '/LM/W3SVC/1/Root/op'.
' The error was 'The server process could not be started because
' the configured identity is incorrect. Check the username and password.
'
' Running this utility will update the COM+ applications with the
' correct identity.
'
 

Other Info

This morning when I was notified of the HTTP 500 error on ws005, I found DCOM error on the event log, further, researching that DCOM error, I found many articles suggesting to resync the IWAM User Account for a possible resolution.

"The IWAM_machine account may be out-of-sync. The IWAM_machine identity must be in synch in the metabase, the Security Account Manager (SAM), and COM+. Account information stored in the Internet Information Server (IIS) metabase is synchronized with the local SAM, but COM+ applications are not automatically updated. "

So, when I resynced, the login page started working, I do not know how IWAM becomes out of sync, but it was mentioned in one of the Microsoft Article that it is by design on IIS 5.0.

Here are some additional information on the IWAM user account,

This account is used by IIS to run out-of-process applications.

The Launch IIS Process account is automatically created by IIS. The account is a local account if IIS is installed on member servers and a domain account if IIS is installed on a domain controller. It is also stored in the IIS metabase.

The password for the IWAM account is randomly recreated on a weekly basis and synchronized where needed. The IIS service will reset the IWAM password in the metabase on startup to match the IWAM password in the local SAM or Active Directory (for domain accounts). If this password has been changed in the SAM or Active Directory, and has not been changed in the DCOM component configuration, then the application will fail to start. The SyncIWAM.vbs script can reset the identity and password for these applications and allow them to start.
 

Links

http://support.microsoft.com/kb/255770

http://www.derkeiler.com/Newsgroups/microsoft.public.inetserver.iis.security/2003-04/0650.html

http://www.eventid.net/display.asp?eventid=10001&eventno=769&source=DCOM&phase=1

http://www.eventid.net/display.asp?eventid=10004&eventno=11&source=DCOM&phase=1

http://support.microsoft.com/default.aspx?scid=%2Fservicedesks%2Fwebcasts%2Fwc062602%2FWCT062602.asp