An Uncommon Cause for IIS 503 Service Unavailable Errors

Recently, while migrating IIS websites to a new server, I encountered “Service Unavailable HTTP Error 503. The service is unavailable.” errors, but only for HTTPS, while HTTP worked fine. Depending on the scenario, the problem could have just as easily impacted HTTP.

The server was listening on port 443:

If you ever encounter a problem like this, stop the web publishing service:

Then check to see if the server is still listening on port 443:

If it is, then something else is running that’s listening on port 443. If this is a server that you’ve inherited, it may not be easy to determine what’s listening on that particular port.

I’ll install a PowerShell module named Carbon from the PowerShell Gallery to help determine what’s going on.

When a non-IIS web server is installed on Windows, it sets an ACL on the port it will listen on. You can see the ACL which references port 443 that’s shown in the following image.

Actually, there are two entries listed for port 443 in the previous image. The one with the GUID after it is fine since it’s only for a particular application via a host header and not the entire namespace.

Although I wasn’t sure, I was fairly certain the Dell EqualLogic SAN Headquarters application that was installed on this particular server was causing the problem so I decided to deinstall it since it was no longer needed.

While the deinstall seemed to work fine and the application was removed from the server, it did not remove the ACL assigned to port 443.

Since deinstalling the application did not resolve the problem, I decided to forcibly remove the ACL. Forcibly deleting ACL’s is NOT something I recommend, but I was to the point where I had nothing else to lose because the alternative was to simply spin up another server.

Once that entry was removed and the web service was restarted, the problems with IIS listening on port 443 were resolved.

In addition to the steps previously listed, I went through all of the normal items you would check in this scenario. Most of them were ruled out because the website was working on port 80.

I decided to turn my checklist of items for 503 service unavailable errors into a Pester test to make it easier to know where to start troubleshooting.

The way I’ve written this test, the last entry is almost always going to fail because there will most likely be at least some informational entries in that particular event log. Starting from the top, check the first item that fails.

One informational entry in the event log stood out that appears to have occurred when the ACL on port 443 was set, although it still didn’t specify which application had set the ACL.

Information about this particular problem seems to be non-existent, although I did come across a couple of really old articles that had some information about it.

A Not So Common Root Cause for 503 Service Unavailable
Configuring HTTP for Windows Vista

µ

2 Comments

  1. Luke

    Usually, I use Get-NetTCPConnection and watch the last column named OwningProcess.
    But in your case, it wouldn’t have been sufficient to solve your issue.

    Thanks Mike for sharing so many good information.

    Reply
  2. Chris Trotter

    Don’t forget looking into HTTPERR logs! (C:\Windows\System32\LogFiles\HTTPERR\httperr*.log) We are dealing with a weird case of large amounts of 503s causing IIS to revert to the previous website. They are not logged in the IIS logs, only in HTTPERR.

    Get-ChildItem -Path ‘C:\windows\system32\LogFiles\HTTPERR’ -Include *.log -Recurse | Where-Object LastWriteTime -gt (Get-Date).AddDays(-7) | Select-String -SimpleMatch ‘ 503 ‘

    Note the spaces around ‘ 503 ‘…required to get a good match.

    Reply

Leave a Reply

%d bloggers like this: