IIS 7 and Above
Application pool identity problems
Last post Jul 26, 2013 10:45 AM by RicardoCC
Jan 23, 2007 12:41 PM|zzhumphreyt|LINK
I'm trying to set the identity of an application pool to a specific user and have had nothing but problems. I found an article mentioning 3 user policy settings to give to the account I want to use,
http://beyondthispoint.blogspot.com/2006/04/setting-up-iis6-application-pool.html; I know the article is for IIS6 but I haven't found much info on IIS7. Anyway, I tried those settings and rebooted and had an error in my event log that reads
The World Wide Web Publishing Service (WWW Service) encountered an error when it tried to secure the handle of application pool ASP.NET V2.0 from HTTP.sys. Edit the identification information for the application pool so that the WWW Service can secure the
handle of the application pool again. The data field contains the error number.
So now I'm desperate and don't know what to do. Exactly what steps do you need to take for a domain account to be the identity for an application pool?
Jan 30, 2007 01:18 AM|thomad|LINK
This should simply work by specifying username, password and identityType for the AppPool.
Can you try this?
%windir%\system32\inetsrv\appcmd set AppPool "ASP.NET V2.0" -processModel.username:<your username, e.g. domain\user>
%windir%\system32\inetsrv\appcmd set AppPool "ASP.NET V2.0" -processModel.password:<your user's domain password>
%windir%\system32\inetsrv\appcmd set AppPool "ASP.NET V2.0" -processModel.identityType:SpecificUser
Let me know if you still see the problem.
By the way: is the machine member of the domain?
Jan 30, 2007 09:11 AM|zzhumphreyt|LINK
Hey, thanks for replying.
Yes, my machine is a member of the domain. I tried the three commands listed, they seem to be the same thing the GUI provides. After doing this I ended up with 2 errors and 1 warning in my event log:
Event 1026, IIS-W3SVC (Error)
The World Wide Web Publishing Service (WWW Service) encountered an error when it tried to secure the handle of application pool ASP.NET V2.0 from HTTP.sys. Edit the identification information for the application pool so that the WWW Service can
secure the handle of the application pool again. The data field contains the error number.
Event 5057, WAS (Warning)
Application pool ASP.NET V2.0 has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.
Event 5059, WAS (Error)
Application pool ASP.NET V2.0 has been disabled. Windows Process Activation Service (WAS) encountered a failure when it started a worker process to serve the application pool.
After getting these errors I changed the application pool to use the Integrated pipeline mode, refreshed the page, and got this warning.
Event 5021, WAS (Warning)
The identity of application pool ASP.NET V2.0 is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will
be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the metabase must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon.
If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.
I have to enter my credentials in the GUI to connect to the network share I store my files on, and where my webs ultimately point to, so I feel sure I'm not mistyping my username and password since they work. Since the message mentioned batch logon rights
I looked in the Local Security Policy control panel and the User Rights Assignment section but the "Log on as a batch job" section doesn't allow me to add any user or group to it.
So I'm still at a loss in all of this.
I just tried a local user as the identity of the application pool and got the same errors as with the domain user.
Jan 30, 2007 10:11 AM|anilr|LINK
Jan 30, 2007 10:36 AM|thomad|LINK
Your Domain Policies might prevent anybody from logging on as batch. You can try to change the LogonMethod but let's see first what the Eventlog error code tells us.
Jan 30, 2007 11:01 AM|zzhumphreyt|LINK
Only 2 of the 4 errors I listed before had anything in the Binary field of the EventData node, I'm assuming this is the error code.
Event 1026, IIS-W3SVC had this
Event 5021, WAS had this
I'm just copying and pasting what was in the XML, I didn't reverse the bytes or anything.
Jan 30, 2007 12:02 PM|anilr|LINK
Jan 30, 2007 01:59 PM|zzhumphreyt|LINK
I'm running Vista Business, 6.0.6000 N/A Build 6000 (from the systeminfo command)
That's a bummer about needing that user right but not being allowed to because of a domain policy. Is there no way around this, short of asking my system administrator for permission?
Jan 30, 2007 04:56 PM|anilr|LINK
If it is not prohibited by domain policy (deny logon as batch) - you may be able add the "allow logon as batch" privilege to the identity you want to use.
Jul 26, 2013 10:45 AM|RicardoCC|LINK
Thanks Anilr, Your advice