Sharepoint 2012 Account Expired: Non-Administrators Cannot Log INto Sharepoint Farm

I had users that were (seemingly) randomly losing access to a sharepoint farm, but the administrators could still connect.

Some digging in the Application Event Logs for Sharepoint revealed:

The credentials used for the account DOMAIN\sharepoint_app_pool_account expired on 2/5/2013 3:10:33 PM, and need to be updated. If they are not updated, the system may stop working. The account is used by the following:
Microsoft SharePoint Foundation Application Pool: SharePoint – 443

To mitigate this issue, please visit the managed account administration page to schedule automatic password updates:
https://spmanage.foo.com/_admin/EditAccount.aspx

and this in the Application Logs

The Execute method of job definition Microsoft.SharePoint.Administration.SPConfigurationRefreshJobDefinition (ID 088d8b9c-d9f4-4368-8ece-2f9b62b39c18) threw an exception. More information is included below.

SHUTDOWN is in progress.
Login failed for user ‘DOMAIN\FARMADMINSERVICEACCOUNT’. Only administrators may connect at this time.

Fix

To fix the immediate problem, I logged into Central Administration and went to Security > Configure Managed Accounts

I simply rotated the passwords in AD and set the passwords with Use Existing Password.

Setting Up Automatic Rotating Passwords

Now, the greater issue is the previous administrator setup “standard” non-2012 style service accounts insofar as “User Cannot Change Password” + “Password Never Expires”.

But, in Sharepoint 2010/2012 it’s better to let it rotate the passwords for you to avoid this kind of mess and be safer.

When I tried to change the password through sharepoint managed accounts I got an error similar to:

sharepoint_cannotChangePasswordError Access Denied

I figured at first this was because the account did not have proper AD acess to change account passwords (as these weren’t Local accounts). As in this and this. So, I granted the service accounts — namely the one running Sharepoint Time service — Account Operators.

Still no go.

Turns out this was because User Cannot Change Password was set. After changing that, it got further.

But now it throws an error

sharepoint_passwordComplexityThe password does not meet the password policy requirements.

Ah, old cryptic AD message we meet again. Believe it or not, this is okay. What is happening here is Sharepoint cannot change the user password because you’ve administratively changed it recently (24 hours). But, now we can setup automatic password rotations.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *