I’ve been working with a client recently that had a problem with the Web Front End servers randomly rebooting. The servers were Windows Server 2008 running virtually on VMWare ESX. Interestingly the problem didn’t occur on any of the other Win 2008 servers that also ran on VMWare.
Firstly we discovered that the machines weren’t just rebooting they were in fact blue screening and then rebooting after they did a dump.
So we fired up WinDbg and had a look at some of the dumps.
We found that the offending method was:
FAILURE_BUCKET_ID: X64_0x7E_BAD_IP_HTTP!UlAuthenticate+73
The loaded module was HTTP.sys
This seemed to fit, the environment that was crashing was the only one to have Kerberos enabled, so we suspected some interaction between Kerberos and VMWare to be the cause (hence these were the only servers crashing). But since Windows 2008 runs HTTP.sys which is a kernel mode driver, we knew that as part of the Kerberos setup we had to explicitly allow the kernel to authenticate as the app pool user (via the application host file). We also knew that we could use IIS manager to move this authentication out to user mode, if you open IIS manager, expand the web site, select Authentication from the right and select the advanced properties on the Windows Authentication item. This will present you with the following option to ‘Enable Kernel-mode authentication’:
After we deselected this option our servers have been running solidly.