Personalization Failing / unable to access the Personalization Operations or EM consoles after configuring the server for load balancing

Version 3

    Verified Product Versions

    Environment Manager 10.0Environment Manager 8.6Environment Manager 8.5Environment Manager 10.1Environment Manager 2018.1

    Introduction

     

    You may see the following symptoms if you have just configured your Personalization servers for load balancing, with Windows authentication:

     

    • The Personalizaton Operations console is inaccessible, with a 500.19 error:

    HTTP Error 500.0 - Internal Server Error

    The page cannot be displayed because an internal server error has occurred.

         PersOps Error.jpg

    • It is not possible to connect to the Personalization server via the EM console, as it will display a "Contacting Personalization Server" error for an extended period of time:

         EM Console Error.jpg

    • Personalization fails for users - if you review a set of EM client logs ( instructions on how to collect them are here ) you may see lines similar to the following:

     

    L3  T14532 10:33:29.883 [w32httplib::WinHttpClient::Navigate] ReceiveResponse HTTP status code: [401]

    L1  T14532 10:33:29.899 [w32httplib::WinHttpClient::HandleAuthentication] WinHttpQueryAuthSchemes failed. Error [4317]

    L1  T14532 10:33:29.901 [ProfileManager::AddCommsLogEntry] CommsLog: [Failed to get serverlist from http://servername:7771/PersonalizationServer,http://servername.local:7771/PersonalizationServer, error 4317]

     

    Detail

     

    This issue is seen when the IIS_IUSRS group is missing from the following group policy:

    Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Impersonate a client after authentication

     

    The IIS_IUSRS group is added to the security token for each worker process (w3wp.exe) used to run the website, which allows additional permissions relevant to IIS to be added without explicitly adding them to the app pool identity (in this case the load balancing service account you have configured).

     

    If you are seeing this issue, you will need to ensure that IIS_IUSRS is added to this policy, and then restart IIS.