Changing IIS application pool idenity from built in account to custom account causes 503 error

1

I have an intranet web application developed using C# and .NET and it is hosted on our own internal webserver running IIS 8.5.

I have it set up the application pool to use the built in account ApplicationPoolIdentity and this works fine.

However I need the application to be able to browse a network drive so I have changed the application pool to use a custom account that has access to the network drive. I know it has access as I am using my login details here.

But when I browse to the website I get the following error

Service Unavailable

HTTP Error 503. The service is unavailable.

When I recycle the application pool with these new settings I get the following error:

There was an error while performing this operation Details The object identifier does not represent a valid object. (Exception from HRESULT: 0x800710D8)

I have also tried using the server admin account but I get the same error messages.

Thanks

Edit

The following message is in the event log

The identity of application pool TestApplicationPool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.

c#
asp.net
.net
iis
application-pool
asked on Stack Overflow Feb 13, 2017 by Simon • edited Feb 14, 2017 by Simon

3 Answers

0

Try granting the user account permissions to access the required asp files and folders, from a command prompt

aspnet_regiis -ga "Domain\SomeAccount"

https://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.100).aspx

Also allow the account to logon as a service:

Start -> Control Panel -> Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment -> Log on as a service

Also add the account to the IIS_WPG Group

In the Computer Management screen, under System Tools, expand Local Users and Groups, and then click Groups.

Right-click the IIS_WPG group, and then click Add to Group.

In the IIS_WPG Properties dialog box, click Add.

https://msdn.microsoft.com/en-us/library/aa544832(v=cs.70).aspx

answered on Stack Overflow Feb 14, 2017 by GJKH • edited Feb 14, 2017 by GJKH
0

The group is called IIS_IUSRS in newer versions of IIS.

You may also need the following:

  • Access this computer from the network
  • Adjust memory quotas for a process
  • Allow log on locally
  • Bypass traverse checking
  • Generate security audit details
  • Impersonate a client after authentication
  • Log on as a batch job
  • Log on as a service
  • Replace a process level token
answered on Stack Overflow Sep 24, 2019 by George X • edited Sep 24, 2019 by Giulio Caccin
0

Don't forget to remove the custom account from the "Guests" group in Local Users and Groups

answered on Stack Overflow May 5, 2021 by Christian Vos

User contributions licensed under CC BY-SA 3.0