I just tried this morning to switch an old ASP.NET site's app pool to one that use an AD account for SQL access, upon doing so most of the static content on the site was unavailable (i.e. some images and the CSS file) with a nice 500.
After activating failed request tracing, the errors turned out to be all :
Either a required impersonation level was not provided, or the provided impersonation
level is invalid. (0x80070542)
A bit of googling (mostly this question) and lo and behold, turns out my AD account needs a specific policy : Impersonate a client after authentication
Now generally I wouldn't have any trouble sacrificing an intern and chant to summon the AD admins for assistance, but right now I'm trying to understand why this wasn't an issue before.
I used this particular app pool for an other application (an ASP .NET MVC 4 one) and it didn't cause any issue, every content was served properly.
So my questions are rather simple :
Well to answer, yes Impersonate a client after authentication was needed but not only that. In the particular context of my company most of rights set by IIS were blocked by global group policies and a new local gpo was needed on the servers we use.
For more information on the right required by IIS for its app pool users I recommend this
User contributions licensed under CC BY-SA 3.0