7

I have a website in IIS 6.0 using an application pool with a custom service account. When I browse the website, I get an error "service unavailable" and the error in event log says

The identity of application pool 'SampleAppPool' is invalid, so the World Wide Web Publishing Service can not create a worker process to serve the application pool. Therefore, the application pool has been disabled.

I think the utility "Aspnet_regiis" can be used to grant access to an account to IIS metabase according to this article, but is that the right way to fix this issue? Because this utility is used for multiple things and may do more than just granting the permissions to the account, or should I just add the account manually to IIS_WPG group?

Nikola K.
  • 7,093
  • 13
  • 31
  • 39
RKP
  • 5,285
  • 22
  • 70
  • 111

4 Answers4

12

When I see this in IIS 6 and the user has a custom app pool identity, the problem typically originates in the entry of credentials in the app pool properties. So there are generally two origins for the issue.

One is a simple typo in the credentials, unfortunately the form validation is not very good in IIS 6, so I often will have users change the identity of the app pool, then immediately check that the credentials "took" and/or check the System event log for W3SVC and related errors.

The second specific cause I see in this scenario is when people enter an Active Directory user, they sometimes forget to add the domain name. (e.g. DOMAIN\Username). Which leads me to the next point, the IIS_WPG is the builtin local group which grants members the required ACLs to run as an app pool identity. The aspnet_regiis.exe -ga grants the same thing to users, but IMO it is best suited for use when the IIS_WPG group is not an option. Also a dedicated app pool user account is generally a good idea. If the AD user password is changed, you'll bring your app to its knees until you again re-enter the credentials in the IIS Manager.

Edit: I added some para breaks to make this chunk more readable.

Luke Puplett
  • 42,091
  • 47
  • 181
  • 266
unhappyCrackers1
  • 813
  • 8
  • 15
  • thanks. its an intranet site and uses windows authentication and the application pool identity is not some user account, it is a AD service account dedicated to this application. the password is correct. I am not clear what solution u are suggesting other than aspnet_regiis, in this case. the utility does seem solve the issue, but I wasn't sure if that should be done whenever we use a custom account instead of the default network service account and is it safe to run this utility in production environments. – RKP Jan 28 '11 at 17:13
  • If the account you want to use for the app pool is an Active Directory user then I would just use the `aspnet_regiis.exe -ga DOMAIN\USERNAME` to grant the privileges. If you are using a local user then it is easier to just add the user to the group. The problem that sometimes arises with the IIS_WPG group is if the web server is a DC (In which case there are no local groups and Network Service and other builtins don't work properly) or for some other reason the builtin group IIS_WPG is not an appropriate option. The utility is "safe" to run in production environments IME. – unhappyCrackers1 Jan 28 '11 at 17:19
  • The Network Service account is a least privileged built-in account. The safe approach is to create a custom user for the app pool, but this is usually only needed for inter-process authentication. Meaning that some apps don't need a custom app pool identity. BTW, an unsafe approach is to elevate Network Service. This is a good approach in a demo or test environment when a quick config is a top priority. – unhappyCrackers1 Jan 28 '11 at 17:21
  • Inter-process authentication is probably a bad word choice, but what I mean specifically is tasks such as writing to the file system are usually going to require more permissions than the builtin Network Service account has and for that reason, one should consider the custom app pool approach. Here is very informative link on understanding the internals of IIS6 and ASP.NET: http://dotnetslackers.com/articles/iis/ASPNETInternalsIISAndTheProcessModel.aspx – unhappyCrackers1 Jan 28 '11 at 17:44
  • yes, we need a custom account to read data from and write to database from the app and to the filesystem and network service account will not have those privileges and almost every app will require some form of data access, so not sure when the network service account would be useful. thanks for your comments. – RKP Jan 31 '11 at 10:13
  • Check also that the correct asp.net version is associated with the site. – JohnLBevan Jun 03 '15 at 14:11
2

I had this same problem and I resolved it by starting the application pool. Ours was stopped even though IIS was running.

Rob Jefferies
  • 254
  • 3
  • 9
1

"The identity of application pool 'SampleAppPool' is invalid..."

Every time I have had that error, it was because the user name and password where not correctly entered in the application pool. This happens also when you import the pool settings from another server. Reentering the password in the application pool identity configuration has always solved the problem.

Once you get that right, you will probably meet the second problem you are describing, but that's an unrelated issue. It can be fixed as you describe, or even manually granting the required access permissions to the application pool identity.

Alejandro Izaguirre
  • 11
  • 1
  • 1
0

If you are connecting to a remote machine using one or more remote access tools, take note: your keyboard mappings may be getting screwed up somewhere along the way!

In my case, I tried typing out certain letters of the password in a plain text editor on the remote machine (not necessarily in the same order, to retain security). When attempting to type the dollar character, I found that if I used the left shift key I got a "$" but if I used the right shift key I got a "4".

Once I had that figured out, I could enter the correct password for the Application Pool Identity. (Note: when filling out the identity section, IIS does not validate the password you enter against the user identity, only that the two passwords you enter match each other).

wardies
  • 1,149
  • 10
  • 14