Running IIS6 App Pools under a Domain account Identity
Recently we changed the Identity of an App Pool in IIS 6, from Network Service to a Domain account. Soon after recycling the App Pool, we started seeing some issues.
As soon as we started the App Pool, the following warning was logged in the System section of Event Viewer:
Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 1021 Date: 6/22/2009 Time: 11:16:26 PM User: N/A Computer: <ComputerName> Description: The identity of application pool, 'MyAppPool' is invalid. If it remains invalid when the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number. For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp. Data: 0000: 69 05 07 80 i.. |
And when the Web Application which was using this App Pool was accessed, the App Pool stopped, logging these warnings/errors in Event Viewer:
Event Type: Warning Event Source: W3SVC Event Category: None Event ID: 1057 Date: 6/22/2009 Time: 11:16:39 PM User: N/A Computer: <ComputerName> Description: The identity of application pool 'MyAppPool' is invalid, so the World Wide Web Publishing Service can not create a worker process to serve the application pool. Therefore, the application pool has been disabled. For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp. |
Event Type: Error Event Source: W3SVC Event Category: None Event ID: 1059 Date: 6/22/2009 Time: 11:16:39 PM User: N/A Computer: <ComputerName> Description: A failure was encountered while launching the process serving application pool 'MyAppPool'. The application pool has been disabled. For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp. |
So, here’s what you need to do if you are switching the identity of IIS App Pool to run under a Domain Account, Unless you love seeing the errors above :)
1. Add the Domain Account to the IIS_WPG group on the Machine running IIS.
(This group is the worker Process group which contains the Accounts, allowed to run the IIS worker process.)
2. Goto Start> Run and type secpol.msc . Hit OK. The Local Security Settings console will open up. Under Security Settings, expand Local Policies and Click User Rights Assignment. Double click Log on as a service in the right pane. Add the domain account if not already listed. Click OK and exit the console.
(It enabled the Domain account to register a process as a service.)
You are all set to run your web application now :)
Comments
Anonymous
May 18, 2011
after doing what's written here i can't start the service and got error: Error 5: access is deniedAnonymous
May 18, 2011
Hi Maor, Can you list the version of IIS and OS you are using. Also, can you check the Event Viewer for detailed log? Thanks, SidharthAnonymous
September 19, 2011
Many thanks :)Anonymous
January 20, 2012
Also need to add user to IIS_WPG groupAnonymous
January 29, 2012
Thanks for the to the point resolution!Anonymous
March 07, 2012
thanks a lot!! great help!!Anonymous
February 11, 2013
I have the same issue, and the solution above didn't solve it for me. I have the account in IIS_WPG, I have ran the aspnet_regiis -ga Domain/User command, I have verified the password is correct, I verified that the permissions on the folder are correct. I have verified the local policies are correct. Nothing has solved our problems...Anonymous
November 14, 2013
Worked like a charm. Thanks!Anonymous
November 14, 2013
Glad that it helped youAnonymous
February 19, 2014
After doing these steps ,I got error service unavailable. Anyone help?