The Network Policy Server Service (IAS) Fails to Start or be Installed

[Today's post comes to us courtesy of Damian Leibaschoff and Wayne McIntyre]

We have seen some cases where the Network Policy Server service fails to start, when this happens, functionality provided by TS Gateway (used in RWW) or Routing and Remote Access (RRAS) will also stop working. Furthermore, we’ve also seen, that as part of the troubleshooting, partners are uninstalling the entire role, and when trying to re-install it fails.

How to identify you are experiencing this issue?

When starting the NPS service it fails with:


The following event is logged:

Log Name: System
Source: Service Control Manager
Date: 1/30/2009 11:36:35 AM
Event ID: 7023
Task Category: None
Level: Error
Keywords: Classic
User: N/A
The Network Policy Server service terminated with the following error:
Unspecified error

If you try to start RRAS you get:

Log Name:      System
Source:        Service Control Manager
Date:          2/16/2009 1:34:37 PM
Event ID:      7024
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
The Routing and Remote Access service terminated with service-specific error 16389 (0x4005).

If you try to re-install the Role service you get:

Network Policy and Access Services
Network Policy Server
Network Policy and Access Services: Installation failed
<Error>: Attempt to install Network Policy Server failed with error code
0x80070643. Fatal error during installation
The following role services were not installed:
Network Policy Server

In the servicing logs you see:

5316: 2009-01-29 12:06:25.902 [CBS] ...current state of 'IAS
NT Service': p: Staged, a: Staged, s: UninstallRequested
5316: 2009-01-29 12:06:25.902 [CBS] ...setting state of 'IAS
NT Service' to 'InstallRequested'
5316: 2009-01-29 12:06:25.919 [CBS] ...'IAS NT Service' :
applicability: Applicable
5316: 2009-01-29 12:07:05.658 [CbsUIHandler] Initiate:
5316: 2009-01-29 12:07:08.975 [InstallationProgressPage] Installing...
5316: 2009-01-29 12:08:54.092 [CbsUIHandler] Error: -2147023293 :
5316: 2009-01-29 12:08:54.093 [CbsUIHandler] Terminate:
5316: 2009-01-29 12:08:54.093 [CBS] Error (Id=0) Function:
'NativeMethods.GetPackageStatus(out status)' failed: 80070643 (-2147023293)
5316: 2009-01-29 12:08:54.094 [CBS] ...done installing 'IAS

NT Service '. Status: -2147023293 (80070643)
5316: 2009-01-29 12:08:54.094 [InstallationProgressPage] Verifying
5316: 2009-01-29 12:08:54.194 [Provider] Skipped configuration of
'NetworkPolicyServer' because install operation failed.
2009-01-29 12:07:27, Error CSI 00000001 (F) Logged
@2009/1/29:12:07:26.752 : [ml:96{48},l:94{47}]"Attempting to start service {IAS}
2009-01-29 12:07:27, Error CSI 00000002 (F) Logged
@2009/1/29:12:07:27.753 : [ml:260{130},l:258{129}]"Service did not run. Current
state (3) Exit code (-2147467259) Service specific exit code (0) Check point (1)
Wait hint (300000) "

2009-01-29 12:07:27, Error CSI <00000003@2009/1/29:12:07:27.864>
(F) CMIADAPTER: Inner Error Message from AI HRESULT = E_FAIL
[19]"Unspecified error"

The problem can happen when the NPS service tries to register it’s VSS writer and finds that it does not have enough rights to do so.

To resolve this:

  1. Check the following registry key:
    Verify that the setting for NT AUTHORITY\NETWORK SERVICE is set to 1. If this is set to 0 change it to 1.



  2. Open Task Manager, select Show Processes for all users, and kill any instances of IASHOST.EXE that might be running.


  3. Start the NPS Service. (If it is not installed, re-install it at this point)

We are investigating why the value would be 0 instead of 1. At this time we have identified that uninstalling WSS 3.0 will cause the value to change to 0, there are other interactions that could lead to this value getting changed. We will update this post once we have more information.