500 Error when using custom account for application pool in IIS 7

application-poolsiis-7

I have a very simple site with only static files in IIS 7 on Windows Server 2008 SP2.

When I try to access any static file I get a 500 error. If I rename an html file to have an aspx extension it works fine.

The site also works fine when using the built in identity for the application pool. The problem occurs when I switch to using a custom account for the application pool. I have tried using both local and domain accounts to run the application pool under.

I have given full control to these accounts on the website directory and files.

Turning on tracing reveals this error message:
ModuleName: IIS Web Core
Notification: 2
HttpStatus: 500
HttpReason: Internal Server Error
HttpSubStatus: 0
ErrorCode: 2147943746
ConfigExceptionInfo
Notification: AUTHENTICATE_REQUEST
ErrorCode: Either a required impersonation level was not provided, or the provided impersonation level is invalid. (0x80070542)

I have not had any luck with googling the error code.

Best Answer

Prolem Solved: The IIS_IUSRS group was missing from the "impersonate a client after authentication" in the local security policy.

Related Solutions

IIS application pool timeout causes crash in Vista

The error code in your app log (0xc0000374) is a heap corruption error. You could debug this further with a crash dump, but that is kind of a pain. You mentioned you were using an ISAPI DLL, so I would look for an updated version of that DLL that specifically supports IIS7.

How to assign permissions to ApplicationPoolIdentity account

Update: The original question was for Windows Server 2008, but the solution is easier for Windows Server 2008 R2 and Windows Server 2012 (and Windows 7 and 8). You can add the user through the NTFS UI by typing it in directly. The name is in the format of IIS APPPOOL\{app pool name}. For example: IIS APPPOOL\DefaultAppPool.

IIS APPPOOL\{app pool name}

Note: Per comments below, there are two things to be aware of:

Enter the string directly into the "Select User or Group" and not in the search field.
In a domain environment you need to set the Location to your local computer first.

Reference to Microsoft Docs article: Application Pool Identities > Securing Resources

Original response: (for Windows Server 2008) This is a great feature, but as you mentioned it's not fully implemented yet. You can add the app pool identity from the command prompt with something like icacls, then you can manage it from the GUI. For example, run something like this from the command prompt:

icacls c:\inetpub\wwwroot /grant "IIS APPPOOL\DefaultAppPool":(OI)(CI)(RX)

Then, in Windows Explorer, go to the wwwroot folder and edit the security permissions. You will see what looks like a group (the group icon) called DefaultAppPool. You can now edit the permissions.

However, you don't need to use this at all. It's a bonus that you can use if you want. You can use the old way of creating a custom user per app pool and assigning the custom user to disk. That has full UI support.

This SID injection method is nice because it allows you to use a single user but fully isolate each site from each other without having to create unique users for each app pool. Pretty impressive, and it will be even better with UI support.

Note: If you are unable to find the application pool user, check to see if the Windows service called Application Host Helper Service is running. It's the service that maps application pool users to Windows accounts.

Best Answer

Related Solutions

IIS application pool timeout causes crash in Vista

How to assign permissions to ApplicationPoolIdentity account

Related Topic