Collab365

Stop SharePoint 503 Crashes with Dedicated Accounts

Q: What causes HTTP 503 Service Unavailable in SharePoint Central Admin?

Credential failure from password reset on a shared service account, stopping the application pool (503.0) or exceeding concurrent requests (503.2).

Q: How to immediately fix a stopped SharePoint application pool?

Open IIS Manager, find the app pool, go to Advanced Settings, update the user identity password, and restart.

Q: What dedicated service accounts should SharePoint admins use?

Sp_install for farm install, Sp_apppool for worker processes, Sp_farm for core farm, Sp_timeservice for Timer Service, Sp_userprofile for User Profile Service.

C

Collab365 TeamAuthorPublished Dec 23, 2016

2

At a Glance

Target Audience: SharePoint Farm Administrators
Problem Solved: HTTP 503 Service Unavailable error blocking Central Admin access due to application pool credential failures from password resets on shared service accounts.
Use Case: Preventing farm-wide downtime in on-premises SharePoint 2010 during mandatory password changes.

Most admins treat SharePoint service accounts like a shared Netflix login. It never works.

You use one master account for everything. Then a mandatory password reset hits. Suddenly your entire farm goes down.

The first symptom is usually a dead stop. Users try to load a page and get hit with an HTTP Error 503 Service Unavailable. If you check the IIS logs, you will see two common culprits. A 503.0 status means your application pool is completely offline. A 503.2 status means you just exceeded your concurrent request limit.

Here is what actually happens under the hood. When an application pool stops, the Windows Process Activation Service shuts down all associated worker processes. It does not restart them for you. You have to step in manually. Until you do, every application tied to that pool is dead in the water.

Why does the pool stop? Nine times out of ten, it is a credential failure.

If you use a single account for your configuration database and your web services, a simple password update will break the connection. You will get locked out of Central Administration. To fix the immediate bleeding, open IIS. Find your application pool. Right-click into Advanced Settings. Select the user identity and update the password.

But fixing the password is just a band-aid. You need to build a resilient architecture. That means isolating your service accounts.

Stop sharing credentials. Set up dedicated accounts for specific jobs.

Sp_install: Use this exclusively to install and provision the farm.
Sp_apppool: Dedicate this to your worker processes. If your web application crashes, this is the account you troubleshoot.
Sp_farm: This is your core farm account. Some admins use it for the Timer Service. Do not do that.
Sp_timeservice: Create a completely separate identity just for your SharePoint Timer Service.
Sp_userprofile: Keep this isolated for your User Profile Service when syncing with Active Directory.

You do not need a massive IT budget to keep SharePoint running smoothly. You just need to stop cutting corners with your security architecture. Do the boring work of setting up proper accounts now. Your future self will thank you.