Running IIS6 App Pools under a Domain account Identity
Recently we changed the Identity of an App Pool in IIS 6, from Network Service to a Domain account. Soon after recycling the App Pool, we started seeing some issues.
As soon as we started the App Pool, the following warning was logged in the System section of Event Viewer:
| Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 1021
Date: 6/22/2009
Time: 11:16:26 PM
User: N/A
Computer: <ComputerName>
Description:
The identity of application pool, 'MyAppPool' is invalid. If it remains invalid when the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 69 05 07 80 i.. |
And when the Web Application which was using this App Pool was accessed, the App Pool stopped, logging these warnings/errors in Event Viewer:
| Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 1057
Date: 6/22/2009
Time: 11:16:39 PM
User: N/A
Computer: <ComputerName>
Description:
The identity of application pool 'MyAppPool' is invalid, so the World Wide Web Publishing Service can not create a worker process to serve the application pool. Therefore, the application pool has been disabled. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. |
| Event Type: Error
Event Source: W3SVC
Event Category: None
Event ID: 1059
Date: 6/22/2009
Time: 11:16:39 PM
User: N/A
Computer: <ComputerName>
Description:
A failure was encountered while launching the process serving application pool 'MyAppPool'. The application pool has been disabled. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. |
So, here’s what you need to do if you are switching the identity of IIS App Pool to run under a Domain Account, Unless you love seeing the errors above :)
1. Add the Domain Account to the IIS_WPG group on the Machine running IIS.
(This group is the worker Process group which contains the Accounts, allowed to run the IIS worker process.)
2. Goto Start> Run and type secpol.msc . Hit OK. The Local Security Settings console will open up. Under Security Settings, expand Local Policies and Click User Rights Assignment. Double click Log on as a service in the right pane. Add the domain account if not already listed. Click OK and exit the console.
(It enabled the Domain account to register a process as a service.)
You are all set to run your web application now :)
