ASP.NET Application on Server 2016 returns 500

I have been searching through the site and probably missed something similar to this here.

I am in the process of setting up our first server 2016 systems and hosting applications on it. The old server that it is replacing is 2008 R2.

I have 35+ applications hosted via IIS on the server. 1 single application is going to cause me to loose the remaining bits of sanity.

In my configuration, i have a separate IIS Application Pool for each site/app that i configure, each run with a service account that has limited permissions.

In addition to this, we also set the physical path credentials of the site/app to the service account that is different than what IIS runs as.

IE: Application Pool is called Scorecards. This has the identity of DOMAIN\svc.scorecards.Environment. The Application is named scorecards, and is set to have the physical path credentials of DOMAIN\svc.scorecards.Environment.

Right now when i attempt to access the site locally on the server, at the https://localhost/scorecards, i get a 500 error.

Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) 
  Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

 Exception Details: System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) 

ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user. 

To grant ASP.NET access to a file, right-click the file in File Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.

Source Error: 


 An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.  

Stack Trace: 



[UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))]
   System.BootCoordinator`1.Initialize() +0
   Domain.Scorecard.Entities.ScorecardsEF.Initialize() +40
   Scorecards.Web.MvcApplication.Application_Start() +15

[HttpException (0x80004005): Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))]
   System.Web.HttpApplicationFactory.EnsureAppStartCalledForIntegratedMode(HttpContext context, HttpApplication app) +531
   System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers) +166
   System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context) +165
   System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context) +368
   System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext) +329

[HttpException (0x80004005): Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))]
   System.Web.HttpRuntime.FirstRequestInit(HttpContext context) +523
   System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context) +118
   System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context) +704

I have validated permissions and gone through the web.config, granting perms to everything it needs in there. I have made sure that the APP in IIS is set to use Windows Auth with NTLM Provider, and all other authentication disabled.

I have ensured that the service account has permissions to ASP.NET temp space,

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Aspnet_regiis.exe -ga domain\user

.

I have performed ProcMons looking at all access from the IIS service, the service account, etc to try to find related ACCESS DENIED messages and found nothing. I have also enabled Trace Logging to try to narrow down where the access denied is coming from. This provided me with

authenticationType="NOT_AVAILABLE" 

I have gone through and tried the steps in : https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities

I have made sure that in local security policy, the account has permissions to Log on as a service, and impersonate a client after authentication.

Now to reiterate. My site is running with the Physical path credentials of DOMAIN\Svc.scorecards.Environment. My Application pool is running with Identity of DOMAIN\Svc.scorecards.Environment.

With this set up i get the 500 error message i posted above.

IF i remove Only the Site/Application's Physical Path credentials, and set it to pass through. It works fine.

That's not what we want to do here, so im at a bit of a loss. Anyone else seen anything like this?

I do get an event in Event Viewer,

Event code: 4011 
Event message: An unhandled access exception has occurred. 
Event time: 9/7/2018 2:55:13 PM 
Event time (UTC): 9/7/2018 7:55:13 PM 
Event ID: 7157def29c7c42d08062a4ef3aac2997 
Event sequence: 2
Event occurrence: 1
Event detail code: 0 

Application information: 
Application domain: /LM/W3SVC/1/ROOT/scorecards-1-131808237102505726 
Trust level: Full Application 
Virtual Path: /scorecards 
Application Path: D:\WebSites\scorecards\ 
Machine name: SERVER2 

–Process information: 
Process ID: 7544 
Process name: w3wp.exe 
Account name: DOMAIN\svc.scorecards.environment 

Request information: 
Request URL: https://localhost:443/scorecards 
Request path: /scorecards 
User host address: ::1 

User: 
Is authenticated: False 
Authentication Type: 
Thread account name: DOMAIN\svc.scorecards.environment 
Custom event details: