An Event 2266 message may be logged in the Application log when you try to start an application pool in IIS 6.0

When you try to start an application pool in Microsoft Internet Information Services 6.0 (IIS), a message may be logged in the Application log in Event Viewer that is similar to the following:

Event Type: Warning
Event Source: W3SVC-WP
Event Category: None
Event ID: 2266
Description:
The account that the current worker process is running under does not have SeTcbPrivilege privilege, the anonymous password sync feature and the Digest authentication feature are disabled.

This issue may occur if the security account for the application pool does not have the required security permissions or the required user rights:

• If Microsoft Outlook Web Access is installed on the computer, the ExchangeApplicationPool application pool security account does not have the required security permissions.
• If Microsoft Outlook Web Access is not installed on the computer, the application pool security account does not have the required user rights.

This issue may also occur if the AnonymousPasswordSync property and the UseDigestSSP property are not configured correctly in the IIS metabase.

To resolve this issue, use the appropriate method for the computer.

Method 1: Configure the ExchangeApplicationPool application pool to use the Local System security account

If Microsoft Outlook Web Access is installed on the computer, configure the ExchangeApplicationPool application pool to use the Local System security account. To do this, follow these steps.

Important These steps may increase your security risk. These steps may also make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to, or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you choose to implement this process, take any appropriate additional steps to help protect your system. We recommend that you use this process only if you really require this process.

1. Start Microsoft Internet Information Services.
2. Expand the computer name that you want, and then expand Application Pools.
3. Right-click ExchangeApplicationPool, and then click Properties.
4. On the Identity tab, click Predefined.
5. In the Predefined box, click Local System.
6. Click Apply, and then click OK.

Method 2: Grant the required user rights to the application pool security account

If Microsoft Outlook Web Access is not installed on the computer and the Configurable option is selected on the Identity tab in IIS, grant the application pool security account the "Act as part of the operating system" user right. To do this, use the one of the following methods.

Method 2a: Use the Domain Controller Security Policy tool

If the computer is a domain controller, follow these steps:

1. Start the Domain Controller Security Policy tool.
   
   For more information about how to start the Domain Controller Security Policy tool, click the following article number to view the article in the Microsoft Knowledge Base:
   832214� "You may not have appropriate rights" error message when you try to open the Domain Security Policy console or the Domain Controller Security Policy console from the command prompt
2. In the left pane, expand Local Policies, and then click User Rights Assignment.
3. In the right pane, double-click Act as part of the operating system.
4. Click Add User or Group.
5. Type the user name or the group name that is the security account for the application pool that you want, and then click OK.
   
   Note If you click Browse to add an account, you may have to click Object Types or Location to add the account that you want.
6. Click OK two times.
7. Quit the Domain Controller Security Policy tool.

Method 2b: Use the Group Policy Object Editor

If the computer is a member of a domain, follow these steps:

1. Click Start, click Run, type Gpedit.msc, and then click OK.
2. Under Local Computer Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, and then expand Local Policies.
3. In the left pane, click User Rights Assignment.
4. In the right pane, double-click Act as part of the operating system.
5. Click Add User or Group.
6. Type the user name or the group name that is the security account for the application pool that you want, and then click OK.
   
   Note If you click Browse to add an account, you may have to click Object Types or Location to add the account that you want.
7. Click OK two times.
8. Quit the Group Policy Object Editor.

Method 2c: Use Local Security Settings

If the computer is not a member of a domain, follow these steps:

1. Click Start, click Run, type Secpol.msc, and then click OK.
2. Under Security Settings, expand Local Policies.
3. Click User Rights Assignment.
4. Double-click Act as part of the operating system.
5. Click Add User or Group.
6. Type the user name or the group name that is the security account for the application pool that you want, and then click OK.
   
   Note If you click Browse to add an account, you may have to click Object Types or Location to add the account that you want.
7. Click OK two times.
8. Quit Local Security Settings.

Warning If you edit the metabase incorrectly, you can cause serious problems that may require you to reinstall any product that uses the metabase. Microsoft cannot guarantee that problems that result if you incorrectly edit the metabase can be solved. Edit the metabase at your own risk.

Note Always back up the metabase before you edit it.

You may be able to work around this issue by modifying the AnonymousPasswordSync property and the UseDigestSSP property in the IIS metabase. To do this, follow these steps.

Note If you modify the AnonymousPasswordSync property and the UseDigestSSP property, you may change the functionality of IIS.

1. To directly modify the metabase, open IIS Manager, right-click the ServerName node, and then click Properties.
2. Click to select the Enable Direct Metabase Edit check box, and then click OK.
3. Close IIS Manager.
4. Click Start, click Run, type %windir%\System32\Inetsrv, and then click OK.
5. Right-click Metabase.xml, and then click Edit.
6. In the metabase, use one of the following procedures:
   • Locate and then modify each instance of the AnonymousPasswordSync property to have a value of False.
   • Delete each instance of the AnonymousPasswordSync property.
7. In the metabase, use one of the following procedures:
   • Locate and modify each instance of the UseDigestSSP property to have a value of True.
   • Delete each instance of the UseDigestSSP property.
8. On the File menu, click Save.
9. Quit Notepad.

By default, the Network Service security account is configured as the security account for an application pool. The Network Service security account and other members of the IIS_WPG security group, such as the IWAM _ComputerName account, do not have the "Act as part of the operating system" user right.