Using application pool identity results in exceptions and event logs

2

I recently switched my applications from using ASP.NET impersonation to actually specifying the identity in the application pool. The reason for this was to make future use of async easier so the threads run as my service account.

Since making the change the site has been experiencing some issues. On the day I made the change I am now seeing these event logs show up much more often (used to be 2-3 times per day, now it's 8-10 times per day):

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.  

 DETAIL - 
 3 user registry handles leaked from \Registry\User\S-1-5-21-1695807550-3099950144-3292890465-4346:
Process 3840 (\Device\HarddiskVolume2\Windows\System32\inetsrv\w3wp.exe) has opened key \REGISTRY\USER\S-1-5-21-1695807550-3099950144-3292890465-4346
Process 3840 (\Device\HarddiskVolume2\Windows\System32\inetsrv\w3wp.exe) has opened key \REGISTRY\USER\S-1-5-21-1695807550-3099950144-3292890465-4346\Control Panel\International
Process 3840 (\Device\HarddiskVolume2\Windows\System32\inetsrv\w3wp.exe) has opened key \REGISTRY\USER\S-1-5-21-1695807550-3099950144-3292890465-4346\Software\Microsoft\Windows\CurrentVersion\Explorer

I am also getting (seemingly at random) an error when talking to active directory:

System.Runtime.InteropServices.COMException (0x80005000): Unknown error (0x80005000)
   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.PropertyValueCollection.PopulateList()
   at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
   at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
   at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
   at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
   at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
   at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
   at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
   at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)
   at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)

The last error that I'm seeing since making the change (although it seems to occur less often):

System.Runtime.InteropServices.COMException (0x800703FA): Illegal operation attempted on a registry key that has been marked for deletion.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.PropertyValueCollection.PopulateList()
   at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
   at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
   at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
   at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
   at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
   at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
   at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
   at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)
   at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)

Once I reset the application pool the issue goes away. Unfortunately it seems to keep coming back after a day or two.

Does anyone have an idea of what's at play here? I could go back to using impersonation since this never occurred until I switched the application pool identity to be a specific user. My Google-fu didn't give me any answers today.

c#
asp.net-mvc
iis
active-directory
iis-7.5
asked on Stack Overflow Feb 21, 2014 by Justin Helgerson • edited Feb 21, 2014 by Justin Helgerson

2 Answers

4

I wasn't able to find the root cause of the issue. However, it seems as though using the same identity for multiple application pools can cause some issues if underlying code relies on resources that belong to that identity.

Changing the application pool setting Load User Profile to True fixed the issue and the event log entries stopped occurring.

answered on Stack Overflow Feb 28, 2014 by Justin Helgerson
3

I'm going to take a stab at this and say that you are probably not cleaning up resources properly. Microsoft.Win32.RegistryKey objects and System.DirectoryServices.AccountManagement.PrincipalContext are both IDisposable and must be disposed of when not in use anymore.

It's possible those resources may have been getting cleaned up when users' sessions timed out before the change, and they aren't anymore since you switched off impersonation.

answered on Stack Overflow Feb 21, 2014 by Steve Danner

User contributions licensed under CC BY-SA 3.0