IIS Custom AD account for app pool and 500 for most static content

1

I just tried this morning to switch an old ASP.NET site's app pool to one that use an AD account for SQL access, upon doing so most of the static content on the site was unavailable (i.e. some images and the CSS file) with a nice 500.

After activating failed request tracing, the errors turned out to be all :

Either a required impersonation level was not provided, or the provided impersonation 
level is invalid. (0x80070542) 

A bit of googling (mostly this question) and lo and behold, turns out my AD account needs a specific policy : Impersonate a client after authentication

Now generally I wouldn't have any trouble sacrificing an intern and chant to summon the AD admins for assistance, but right now I'm trying to understand why this wasn't an issue before.

I used this particular app pool for an other application (an ASP .NET MVC 4 one) and it didn't cause any issue, every content was served properly.

So my questions are rather simple :

  • Is the missing policy the likely cause of the errors ? (I can't test it myself, I need a grownup admin and the request is going to take some time)
  • Why didn't I encounter the error before on the first application ? As far as I can tell there is no difference in serving static content between webforms and MVC.
active-directory
iis
application-pools
asked on Server Fault Sep 8, 2014 by Simon Rapilly • edited Apr 13, 2017 by Community

1 Answer

0

Well to answer, yes Impersonate a client after authentication was needed but not only that. In the particular context of my company most of rights set by IIS were blocked by global group policies and a new local gpo was needed on the servers we use.

For more information on the right required by IIS for its app pool users I recommend this

answered on Server Fault Oct 21, 2014 by Simon Rapilly

User contributions licensed under CC BY-SA 3.0