Recently I was tasked to prepare some VMs for some SharePoint Developers and the configuration we decided upon was:
- Windows Server 2008 w/SP2 x64
- SharePoint Server 2007 w/SP2 x64
- SQL Server 2008 w/SP1 x64
After the installation/configuration of SharePoint 2007 the Central Administration site was launched and Internet Explorer displayed a blank page. This was very odd so one of the first things I did was add the database farm account to the local Administrators group and tried it again. The Central Administration site displayed correctly.
Since these VMs belonged to a corporate domain I suspected this might be a Group Policy problem so initially we changed the OU that the machines belonged to so it would inherit the policy settings they had for Web Servers, no dice on that one.
Just to make sure it was an environment problem I decided I had better replicate the installation with my own DC just to rule out anything else. The installation and configuration went perfectly (what I figured).
Next step I decided to download Sysinternals Process Monitor to help track down the source of the problem. I removed the database farm account from the administrators group, performed an iisreset and then tried the Central Administration site again….blank web page. So now it was time to get Process Monitor to watch what was happening in IIS.
I configured Process Monitor to display the w3wp.exe events and found this problem
It seemed that the identity used by the Application Pool for the Central Administration was not able to perform any impersonation unless it was a member of the local Administrators group. I checked the machines local policy on impersonation and found that it was missing a group.
The missing group was IIS_IUSRS which is used by IIS 7.0 and IIS 7.5 on Windows Server 2008.