Application Pool Identity Problem

Sleepy

I'm using an active directory account as the Identity of an Application Pool on a client's site but keep getting the following error:

Event ID: 1057
Description:
The identity of application pool 'TestAppPool' is invalid, so the World Wide
Web Publishing Service can not create a worker process to serve the
application pool. Therefore, the application pool has been disabled.

I've added the user to the IIS_WPG group.
I'm told 'Password Never Expires' is set on the account. (don't have access to verify but trust the client)

After some googling I've assigned 'Adjust Memory Quotas for a Process' and 'Replace a process level token' privileges in the web server's local security policy. I've even gone as far as granting 'Run as part of the OS' privileges but I'm still getting this error.

Anyone seen this before?

Ginger

Enable trusted for delegation on the account and make sure that it has permissions on the Microsoft.NET folder within the system directory

Also verify that the password hasnt been reset and to be sure.. type a new password on the domain and use that password in the application pool.. once verified, recycle the pool in IIS

Sleepy

Thanks for the suggestions Ginger. Tried that to no avail.

I've created a new 'test' user locally on the machine and created a new app pool using this user as the identity. Starting the pool gives the same error. Giving the 'test' user admin privileges doesn't change things.

Nothing in the local policies seems to be stopping the log in. Utterly baffled??!

Ginger

Has any of the permissions changed on the Microsoft.NET folder or folders above it???

Also the test user that you created was it local or domain?

Sleepy

The test user was a local account which makes me think this can't be anything to do with the AD settings of the service user I want to use.

I'm on Server 2003 SP2 btw.


Are there any dependencies for IIS to use an identity for an Application Pool?

Ginger

Hmmm
Did you add the user to the IIS_WPG group

Also any silly permissions changed lately.

Can you run it as Local Service just to check?

Sleepy

Local Service will allow the app pool to start.

It seems to be that whenever a specified identity is used, the App pool sees it as invalid (whether the App pool is started by a website or in IIS).

I created a test app pool, using the local test user who is a member of IIS_WPG (and local admin - though the live system obviously couldn't retain this permission) and starting the app pool in IIS (without even attaching a website) still gives an 'invalid identity' error.

Ginger

Ok... do you have strange permissions on your root c drive?

Sleepy

Nothing odd that I can see. Have logged this with the Microsoft Partner's forum at this stage...

Ginger

Are they default or have they been changed?

Also have a look at the permissions on the user such as delegation...

Sleepy

OK - no idea why this fixed the problem but it did...

Added the service user to the 'Users' group on the machine (it would have already had this privileges under 'authenticated users' group). App Pool started fine.

Removed the user from the group and was still able to recycle the App Pool.

Makes no sense whatsoever but sometimes that's MS software for you!