1

I am currently working on a project for which the Apache web server is preferred, but Windows is mandatory. I have not used WAMP for some years, but I believe these days that it works well and is stable. We have four web servers, each in two load-balanced pairs. Apache is being run as a Windows Service.

A colleague has found some information that says it is safer to run Apache under a custom account rather than the "Local System Account". So, a local account has been created on each box and the credentials entered into the "Log On" tab in the Service Properties dialogue box.

From time to time when the Apache configuration changes, I need to restart each service. To do that I select the Apache2.4 entry in the Services window and click on the restart button. However, for all boxes, it is touch-and-go as to whether it will be successful. When it fails, I get a Windows error that says:

Windows could not start the Apache2.4 service on Local Computer.

Error 1069: The service did not start due to a logon failure.

So, I dutifully add the service password in again, whenever this happens, and then it always starts up. One guess I have is that the dialogue is forgetting the password it has been given. It does not ever forget the username.

I have examined the permissions given to this local user in Local Security Policy -> Local Policies -> User Rights Assignment -> Log on as a service Properties, and found that the user is in there normally, but if it becomes missing, then an Apache restart will fail.

When researching this, I found this identical scenario (although the service in that case is PostgreSQL). However, the accepted answer of using the Local System Account is not an answer to the question posed, in my view. The question ought to be: why does the user lose the right to log on as a service?

Community
  • 1
halfer
  • 233
  • 1
  • 5
  • 21

3 Answers3

2

It is not required to restart Apache HTTP Server in order to reload the configuration, you can just run

C:\Apache24\bin\httpd.exe -k restart

This way, only child Apache HTTP Server processes will be restarted and your server won't miss a request.

David Le Borgne
  • 161
  • 10
  • Hmm, interesting - for clarification, are you saying that issuing the restart from the console would not cause the Logon Failure that the restart sometimes does from the Services GUI? That would be an acceptable work-around, if so. – halfer Jul 11 '18 at 12:54
  • 1
    The `httpd.exe -k restart` command does not restart the Windows service and the main httpd.exe process. Instead, it restarts all child processes, which havethem reload the configuration. Since your logon failure issue occurs when the Windows service is starting, this workaround should help you reload the configuration without restarting the service. – David Le Borgne Jul 11 '18 at 15:57
  • Marvellous, thanks. That sounds better than using the GUI anyway, since as you say, using the GUI could cause Apache to drop requests during the restart. – halfer Jul 11 '18 at 16:25
1

If those windows servers are members of a domain then it's possible that some group policy is overwriting this "logon as a service" local policy.

bcs78
  • 372
  • 4
  • 9
  • I expect that at least some of them would be (though I should say I am a Linux person, so I am feeling my way around in the dark a bit!). At least two of the servers are part of an AD group (inside the internal firewall), not sure about the internet-facing ones. – halfer Jul 11 '18 at 12:32
  • What sort of group policy might override the local policy, and is there a way I can check this? – halfer Jul 11 '18 at 12:33
  • If you don't have admin access to the Domain controller then you have to contact the admin to check it out. Let's hope he's more a windows person than you are. :) You can configure group policy objects on the AD DC using the Group Policy Management MMC. I believe there is a setting in Computer configuration / Policies / Windows settings / Security settings / Local policies / User rights assignment. – bcs78 Jul 11 '18 at 12:59
  • Indeed, _he_ may turn out to be a she! But, fair enough - that will give me something to ask about - I probably do not have admin access to that. Thank you. – halfer Jul 11 '18 at 13:04
  • We're not entirely sure, but I think you might be right. I've added an answer to say how we're fixing this at present. – halfer Jul 16 '18 at 09:27
0

Having discussed this with a colleague, we are pretty sure that Group Policy is modifying things, as bcs78 says. We're also informed we have no chance of getting the Policy changed.

We have:

  1. Two internet-facing web servers not in any AD group
  2. Two web servers on the LAN in a site-wide AD group
  3. A test dev server on the LAN in the same AD group as (2)

I've lost track of exactly which servers the issue has happened on, but it is quite possible it is just the AD servers (2) and (3). Since these are LAN servers and behind a firewall, we've taken the decision to switch these back to run Apache as "Local system account".

We are hoping that the front facing web servers in (1) won't be affected by this Policy, so we can keep the configuration we prefer there.

halfer
  • 233
  • 1
  • 5
  • 21