SP2010 - Central Admin - "An Unexpected Error Has Occurred" (handle is invalid)

Problem Summary:

SharePoint Administrators lost the ability to browse successfully to Central Admin on a  SharePoint 2010 server


1) In the browser:  An Unexpected Error Occurred

2) In the ULS Log:   w3wp.exe  0x15EC  SharePoint Foundation  Runtime  Unexpected       System.Runtime.InteropServices.COMException: The handle is invalid. (Exception from HRESULT: 0x80070006 (E_HANDLE))             2fce79ff-3aed-440c-b4f7-78fa5d7a10d5

3) Process Monitor:   “BAD IMPERSONATION”

Root Cause

Application of a Group Policy to the OU that includes the WFE removed the IIS_IUSRS group from the local security policy on the server for the user right assignment of “Impersonate a client After Authentication.”  The IIS_IUSRS group needs the ability to impersonate clients after authentication because this is how the SharePoint/IIS Application Pool impersonates the SharePoint Administrator who is trying to reach Central Admin.

Recommended Solution:

The local group IIS_IUSRS needs to be allowed to be listed in the Impersonate a Client After Authentication right.  Please work with your Active Directory Administrator and/or Security teams to determine what needs to happen in Group Policy to make sure the Central Admin servers (or even all WFEs) have this.

Applies to:

SharePoint 2010 and IIS 7.0



KB 981949 shows that the IIS_IUSRS group is supposed to (by default) have the Impersonate right.  
http://support.microsoft.com/kb/981949 - Description of default permissions and user rights for IIS 7.0 in Windows Server 2008

http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis/  - Understanding Built-In User and Group Accounts in IIS 7
Understanding the New IIS_IUSRS Group