43

My ASP.Net web service cannot run because the application pool is unable to start due to the identity crisis it's experiencing.

The user I'm using in the app pool is a domain user, it's a local admin, it's in IIS_WPG, I've given it "act as part of the OS permissions" - nothing. Nada. Fails to start the application pool each time.

Adding the user to IIS_WPG is usually what's missing, but I guess there's something else.

Things I've tried:

  • Adding user to IIS_WPG
  • Adding user to local admin group and adding the "Act as part of the os" right.
  • aspnet_regiis -ga
  • rebooting...
  • Checked password
  • Recreated the app pool and assigning only my application to it

p.s. If I use the Network Service user it all works - it's just my "custom" user that's failing. Logging in (interactively) with this user works.

Edit:

The solution is as described in the accepted answer (adding the "Log on as Service" right to the application pool's identity user).

I'll just add, for future reference, for those encountering the following message when trying to add the "Log on as a service" right to a domain user:

"This setting is not compatible with computers running Windows 2000 Service Pack 1 or earlier...."

Know that this has nothing to do with Windows 2000 and it's just the domain's group policy that's preventing you from assigning this right to the user.

Improve this question
4
  • what exactly does the event log report? Commented May 14, 2009 at 15:00
  • 1
    Assaf - if you're creating custom accounts to be used as application pool identities you do need to use the aspnet_regiis -ga <username>. Commented May 15, 2009 at 13:24
  • Kev - I tried and it didn't help Commented May 17, 2009 at 8:23
  • I'm here because we rebooted the server today, and this started happening out of the blue. I suspect that there was a domain policy change, since the last reboot. Just sitting out there, waiting for us to reboot... WHAM! The info here looks very useful, hopefully it'll get us going again. Commented Sep 27, 2011 at 18:15

16 Answers 16

Reset to default
56
+150

Have you enabled "Log on as a service" for the account?

Start -> Control Panel -> Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment -> Log on as a service

(make sure your account is in this list directly or indirectly; it has also been suggested that you should set: Access this computer from the network; Deny logon locally; Log on as a batch job)

Also - ensure that the account has "Read & Execute", "List Folder Contents" and "Read" access to the file system that underpins the web site/application.

Improve this answer
Sign up to request clarification or add additional context in comments.

11 Comments

I tried setting Log On as Service, but I'm unable to. The MMC snapin says: "this setting is not compatible with computers runnign Windows 2000 Service Pack 1 or earlier...." Of course, I'm running XP64 with SP3. This is very suspicious. Could it be a wrong error message that's actually due to group policy preventing me from changing this right?
I haven't seen that message; I honestly don't know.
or maybe smallbizserver.net/Forums/tabid/53/forumid/11/postid/87909/view/…
I had this problem and needed to give the user "Log on as a batch job" as well as "Log on as a service". In my case I gave "Log on as a batch job" by adding them to the IIS_WPG group.
I also had to give the user "Log on as a batch job"- What I don't understand is it was working fine without having this permission then it stopped working.
|
22

Try running the following command in the C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 folder:

aspnet_regiis -ga <your_app_pool_user>

For more info on configuring a user account to use as an application pool identity see the following article:

How To: Create a Service Account for an ASP.NET 2.0 Application (MSDN)

Improve this answer

3 Comments

If you're creating custom accounts for use as app pool identities you should always run that command anyway. It sets up all the correct user rights assignments, registry permissions, NTFS perms etc.
This worked for me. Probably should note to run that out of the appropriate framework version folder though...
For us, the ApplicationPoolIdentity account was causing the problem. I ran the command, then got the error: An error has occurred: 0x000706fc The trust relationship between the primary domain and the trusted domain failed. Would love to know how you fix that... and funny because I thought this account was a local one, not a domain one.
1

Make sure there's a folder called c:\inetpub\temp\apppools. If not, create it.

Improve this answer

1 Comment

Had no such folder. Created one. Still doesn't work (invalid identity). Is there an extra step?
1

Make sure the user account trying to access the app pool is a member of the IIS_USRS group in AD.

Improve this answer

Comments

0

What's happening is you are likely running your application inside a pool that is running applications using a different version of the .NET framework. Make sure that all your applications inside that pool are running the same version. If those apps must run under a different version than this one, create a new pool and add your app to it.

Improve this answer

1 Comment

Nope, not it. And it actually unlikely to be the cause because the warning in the Event Log about the identity problem occurs way before I even try to view the web page (thereby loading the DLL..)
0

I know this is simple, but have you checked the password is correct?

Improve this answer

1 Comment

yes, and I've reset it and retried. even tried running calc with runas with it.. (which works)
0

Having had this issue before and not being able to track the reason I sympathise! Some pointers that might help:

  • Check the password is correct (sorry has to be said)
  • Use a new app pool in which no other website is running
  • Ensure that you have run aspnet_regiis -ga to set up the required permissions

If all else fails: - Stop the app and delete the app pool - Delete the user - Re-create the user - Run aspnet_regiis -ga - Set up a new app pool running under this user - Run the site under this pool That along with copying and pasting the complex password I was using worked for me!

Improve this answer

1 Comment

I've done all this except delete the user (which is a domain user, and working fine on many other machines, so I'm not about to delete it).
0

Do you have a group policy somewehere that is pulling the account out of the iis_wpg group? We have this (or a similar) problem frequently when, for whatever reason, a worker process or a service needs to run under a custom account.

Improve this answer

Comments

0

The app pool user account might be locked out.

Improve this answer

Comments

0

Another way this can happen is if you have CGI scripts. By default, CGI scripts run as the Windows user accessing the web site. In order to run your CGI scripts under a specific account, account you need an extra step:

IIS 7+

Go to the CGI section in your web site's config in inetmgr.exe. Set impersonation to false.

IIS 6

Run these commands as an administrator:

cd \inetpub\adminscripts
cscript.exe Adsutil.vbs SET W3Svc/CreateProcessAsUser false

Next step: get your IT department to upgrade all of your WS2003 machines...

Improve this answer

Comments

0

After following all of the other suggestions:

  1. Check "Log on as a service" and "Log on as a batch job" permissions
  2. Check folder permissions, c:\Windows\system32\inetsrv, etc.
  3. In Metabase Explorer check permissions for IIS_WPG group

Remember to restart the IIS admin service!

Improve this answer

Comments

0

Another minor thing worth mentioning might be that, if it is a new user account created by an administrator, a default policy might apply like 'change your password at first logon'. If that is the case and that logon has not yet happened, this will also effectively block the user account from running your service.

This does not apply to the OP's case since he mentions he can login interactively using the account, but I ran into this today and somebody else might too.

Improve this answer

Comments

0

In my case the problem was that I was trying to use a domain account while the domain controller had an issue with my machine. I had just created a new VM with a newer version of Windows (Windows 10) and had asked the domain administrator to add it to the domain, but I kept the same hostname as on my other machine.

Also, in the Event Viewer I found error messages concerning the domain controller and such, that gave me a clue.

I had to remove the machine from the domain and add it again, and the problem was solved.

Improve this answer

Comments

0

Posting a simple answer for completeness because I was getting the same error but what fixed it for me was to include the domain with the username when setting the identity. The user was a valid domain user and a user for the server and I added it to the IIS_ group manually but no dice until I tried adding the domain as a prefix, e.g. "us\svc-myAccount".

Improve this answer

Comments

0

After trying all of the above and nothing worked, I noticed the event data in the event log error was 80070700. googling for this error yielded "An attempt was made to logon, but the network logon service was not started."

I found the NetLogon service wasn't started, started it and bingo - it sprung into life. hope this helps someone else one day

Improve this answer

Comments

0

I had this same issue and fought with it for quite a while. After attempting many different solutions, I uninstalled and reinstalled IIS. After rebooting the server, everything was fixed.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.