This article outlines the troubleshooting procedures for connection issues with PolicyServer.
You should test the connectivity after completing each procedure to check if you need to continue with the next.
If you are connecting remotely, enter the NETBIOS name or IP address of the remote PolicyServer.
If you are connecting locally, enter the localhost.
- Remote Desktop into the SQL Server.
- Click Start > Run > Services.msc.
- Scroll down to MSSQLServer (or MSSQL$Instance if running in an instance install) and ensure it is started.
- Click Start > Run > SvrNetCn.exe.
- Ensure that Named Pipes and TCP/IP are in the Enabled Protocol section of the General tab and that the instance selected is the same instance that the Mobile ArmorDB/Log are installed under.
- If any changes are made, restart the SQL Service.
- Open Windows Explorer and locate the directory you installed the PolicyServer Service. By default, this is C:\Program Files\Mobile Armor\PolicyServer.
- Double-click DiagnosticsMonitor.exe.
- In the Admin Tool under PolicyServer Process, click Start and Logging On.
- Click Log File: On and save the file to the desktop. Use a naming convention that is familiar to you.
- Click Start > Run > Services.msc.
- Scroll down to PolicyServer Windows Service and restart the service.
- Search the file that is generated for database connected. If this is unavailable in the log file, send the log file to Trend Micro Technical Support.
Copy and paste the link http://localhost/mawebservice2/service.asmx into a web browser on the Application Server. If the picture code does not appear, or you receive a runtime error message, IIS is not running properly.
- Click Start > Control Panel.
- Click Add Remove Windows Components.
- Click Application Server > Details.
- Ensure ASP.net is checked.
- Click Internet Information Services (IIS) and click Details.
- Find World Wide Web Service in the list and click Details.
- Ensure Active Server Pages is checked.
- Click OK three times then click Next. You may be required to insert a Windows Server CD at this time.
- Click Start > Control Panel > Administrative Tools > Internet Information Services (IIS) Manager.
- Expand Web Sites > Default Web Site.
- Right-click MAWebService2 and choose Properties.
- Click Directory Security and click Edit on Authentication and Access Control.
- Ensure Enable Anonymous Access is checked.
- Ensure Integrated Windows authentication is checked.
- Click OK.
- Restart IIS.
- From the server where the Full Disk Encryption Web Service is installed, open a Command Prompt.
- Navigate to windir%\Microsoft.NET\Framework\v1.1.4322.
- Execute the command aspnet_regiis.exe – i to re-register ASP.NET.
- Attempt to browse to http://localhost/mawebservice2/service.asmx.
Turn off custom errors on the Web.config file to allow additional error messages for troubleshooting
- Browse to C:\Inetpub\wwwroot\MAWebService2\Web.config file.
- Change the Customer errors line to <customErrors mode="Off" />
- Attempt to log into the PolicyServer again.
- Review the error on the page for possible causes or copy and paste the pages contents and send to Trend Micro Technical Support.
- Click Start > Administrative Tools > Internet Information Services (IIS) Manager.
- Expand Computer Name > Websites > Default Website.
- Right-click MAWebService2 and select Permissions.
- If Network Service is in the list, click the Full Control Permission for this account. If the Network Service account is not in the list click Add > Type Network Service > Click Check Names > OK > Grant the Account Full Control Permission.
- Click OK.
- Click Start > Run > Services.msc.
- Stop the IIS Admin Service.
- Start the IIS Admin Service.
- Open IIS Manager.
- Start the Default Web Site.
- Attempt to browse to http://localhost/mawebservice2/service.asmx.
- Click Run, then type “services.msc” and press ENTER.
- Scroll down to PolicyServer Windows Service and stop the service. If not using Single Sign-On, skip to step 7.
- Double-click the service.
- Click the Log On tab.
- Ensure This Account radio button is marked.
- Ensure the user running the service has Domain Administrator rights on the domain.
- Retype the password to receive a confirmation that the user is allowed to run the service.
- Start the service.
- Reinstall the PolicyServer Windows Service.
- Group Policy denied guest logon on the server.
- The IUSER and IWAM account were members of the guest group.
- Remove the IUSER and IWAM accounts from that group, and move them into the Users group.
- Modify the GPO to allow the "Network Service" account to have read permission on \Windows\Temp folder.
- Below is an example of a Group Policy which works:
Computer Configuration
Windows Setting
Security Setting
Local Policies
User Rights Assignment - (The user whose rights are being modified is the same user whom you have set to run the PolicyServer Windows Service).
Access this computer from the network
Act as part of the operating system
Log on Locally
Bypass traverse checking
Impersonate a client after authentication
Lock pages in memory
Log on as service
Replace a process level token
Take ownership of files or other objectsComputer Configuration
Windows Setting
Security Setting
Local Policies
Security Options
Network security: LAN Manager Authentication Level
Send LM & NTLM responses
Network security: LDAP client signing requirement level
Negotiate signingWindows Setting
Security Setting
System Services
ASP.NET State Service – Automatic
Distributed Transaction Coordinator – Automatic
Event Log – Automatic
HTTP SSL – Automatic
IIS Admin Service – Automatic
SMTPSVC – Automatic
World Wide Web Publishing Service – Automatic
PolicyServer Windows Service - Automatic
MSSQLServer - Automatic
SQLServerAgent – AutomaticWindows Setting
Security Setting
File System
%SystemRoot%\Microsoft.NET\Framework\v1.1.4322
(Service account needs full control)