Changing IIS application pool idenity from built in account to custom account causes 503 error

1
votes

I have an intranet web application developed using C# and .NET and it is hosted on our own internal webserver running IIS 8.5.

I have it set up the application pool to use the built in account ApplicationPoolIdentity and this works fine.

However I need the application to be able to browse a network drive so I have changed the application pool to use a custom account that has access to the network drive. I know it has access as I am using my login details here.

But when I browse to the website I get the following error

Service Unavailable

HTTP Error 503. The service is unavailable.

When I recycle the application pool with these new settings I get the following error:

There was an error while performing this operation Details The object identifier does not represent a valid object. (Exception from HRESULT: 0x800710D8)

I have also tried using the server admin account but I get the same error messages.

Thanks

Edit

The following message is in the event log

The identity of application pool TestApplicationPool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.

3
c#asp.net.netiisapplication-pool
Is it still broken if you change it back to ApplicationPoolIdentity?Polyfun
Do these accounts have read/write access to the website directory? This also happens when the username/password is incorrect, are you entering the username in the correct format? domain\usernameGJKH
You could also try creating a new worker pool and assign this to the site to rule out any problems with the current oneGJKH
@Polyfun changing it back to ApplicationPoolIdentity fixes the issueSimon
@GJKH I have checked the permissions on the website directory and the user I have been entering has full permissions on this folder. I am definitely using the correct username/password as I am testing it with my own account. I am using the domain\username format.Simon

3 Answers

0
votes

Try granting the user account permissions to access the required asp files and folders, from a command prompt

aspnet_regiis -ga "Domain\SomeAccount"

https://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.100).aspx

Also allow the account to logon as a service:

Start -> Control Panel -> Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment -> Log on as a service

Also add the account to the IIS_WPG Group

In the Computer Management screen, under System Tools, expand Local Users and Groups, and then click Groups.

Right-click the IIS_WPG group, and then click Add to Group.

In the IIS_WPG Properties dialog box, click Add.

https://msdn.microsoft.com/en-us/library/aa544832(v=cs.70).aspx

0
votes

The group is called IIS_IUSRS in newer versions of IIS.

You may also need the following:

  • Access this computer from the network
  • Adjust memory quotas for a process
  • Allow log on locally
  • Bypass traverse checking
  • Generate security audit details
  • Impersonate a client after authentication
  • Log on as a batch job
  • Log on as a service
  • Replace a process level token
0
votes

Don't forget to remove the custom account from the "Guests" group in Local Users and Groups