Iis – On app pool recycle user sessions are lost if application pool identity is set to ‘custom account’ but not when it is set to ApplicationPoolIdentity

application-poolsasp.net-mvciisiis-8.5

On IIS 8.5 we have an web application running with application pool's identity set to ApplicationPoolIdentity.

When we switch to Custom account instead of the ApplicationPoolIdentity then web application's user session is lost at random and also on app pool recycle.

But everything is ok with the ApplicationPoolIdentity.

Any idea what is the issue with Custom account which is using a windows user account that has IIS_IUSRS permission.

All we need is to have the Custom account identity to behave the same way as the ApplicationPoolIdentity for the session state. Everything else is ok.

Update 1:

  • We are using InProc Session State Mode as we have not defined the value for the mode property in the web.config file and InProc is the default value
  • Same IIS web application retains sessions after a manual/auto app pool recycle for all users in case of ApplicationPoolIdentity. Good/bad is not the question here but here is the reason how that my happen: https://stackoverflow.com/a/4089977/218408
  • Permanently stopping the app pool recycling is not an option for us

Best Answer

First, to correct a misconception, you're meant to lose state on an App Pool Recycle, unless you've moved state information out of process (for example, by using ASP.Net Session State Server, or a database, or a scheme involving persistent cookes). So unless the app has been designed to cope gracefully with recycling - and they're not by default - you might find that your initial assumption isn't right. See also this answer.

That said - I think the key clue here might be that it sounds like you randomly lose state while the app is running as a custom user without recycling (or apparently without recycling).

Possible things going on here:

  • The app's crashing for some reason (causing a full App Pool recycle - this'd show up in the Event Logs)
  • The AppDomain is recycling for some reason (this won't show up in the event logs, but you can attach logging which'll tell you when this happens)
  • The user's somehow causing one of the above to occur

It's possible the presence of the user causes - for example - antivirus software or another organizational security control to start doing things to the machine (or scan the website files), if it's not simply the app behaving differently and crashing due to something it can't do when not run as a NetworkService-derived user.

So, I'd check:

  • For evidence of App Pool recycling
  • For evidence of AppDomain recycling
  • The Application and System logs for evidence of the app having a problem around the time of the session state loss
  • Whether it's the particular user, or any user
  • Whether it can be reproduced with a debugger (or set ShutdownActionExe to dump the process on shutdown, and take a look at what happened in the memory dump).
Related Topic