When I start the application pool, and request a page in an application in that pool, I get a "HTTP Error 503. The service is unavailable."
If I look at the application pools in IIS, I can see that it has now stopped. Going to the event viewer I find this error message:
'The identity of application pool Badge.Web is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.'
I'm very sure the credentials I'm using is correct. Something else is causing the app pool to stop.
I had similar problem today when an application pool using Windows user identity X stopped working after password change for that user.
Apparently, some information linked to old credentials was stored in the system, and I solved the problem by:
switching app pool identity to NetworkService
switching it back to X using the new password
So far it's working fine.
I found an article saying
The fix is to ensure that the Service/AppPool accounts have the ‘Log on as a batch job’ and ‘Log on as a service’ user rights on the server. This right can be found in Local Security Policy > Computer Configuration > Windows Settings > Local Policies > User Rights Assignment. Either remove the conflicting Group Policy and fix the Local Policy or add the rights to the Group Policy.
http://waveformation.com/2009/06/08/event-5021-the-identity-of-application-pool-lsgroupexpapppool-is-invalid/
While there may be several reasons why this may occur, in this specific case, the 503 error was occurring because the Application pool failed to start. This was because the password was changed recently for the Identity under which the application pool was trying to run. Fix was to go to the IIS Manager-> Application Pool -> Advanced Settings -> Process Model -> Identity and set the password to the new one.
It would also help to check the Event Viewer Logs(Event Viewer (Local) -> Windows Logs -> Application to look for specific causes of failure before proceeding to troubleshoot any further.
My problem was solved by changing Application Pool Identity to NetworkService, going to Advanced Settings > Process Model > Identity > NetworkService with the desired Application Pool selected.
I had the same issue and my solution was: Manager -> Application Pool -> "Select the pool" -> Advanced Settings -> Process Model -> Identity -> NetworkService
Related
I have been through the mill trying to connect to LocalDB. I have been following a two-part article dealing with this issue on my development workstation. In article part two, I opted for the second option of creating a shared instance of LocalDB and get the following runtime error as YSOD:
Cannot open database "DTC" requested by the login. The login failed.
Login failed for user 'IIS APPPOOL\DTC'.
DTC is name of Web Forms application and name of application pool in IIS.
Following the steps in the article for creating the shared instance, I got as far as creating the SQL Server login for ApplicationPoolIdentity as follows:
create login [IIS APPPOOL\DTC v4.0] from windows;
exec sp_addsrvrolemember N'IIS APPPOOL\DTC v4.0', sysadmin
Then I get the following error when executing the query in SQL Server Object Explorer:
Msg 15401, Level 16, State 1, Line 1
Windows NT user or group 'IIS APPPOOL\DTC v4.0' not found. Check the name again.
Msg 15007, Level 16, State 1, Procedure sp_addsrvrolemember, Line 33
'IIS APPPOOL\DTC v4.0' is not a valid login or you do not have permission.
Am using VS2013 and SQL Server 2012 on Windows 8.1. Can't believe how difficult it is to set up LocalDB. What I'm actually trying to do is add Identity membership to existing Web Form application and am open to any suggestions...
IrishChieftain,
I don't recommend use LocalDB for this purpose. If you really want to have a lightweight database just to manage the membership, your best option is SQL Express.
LocalDB is intended to be used for development, not in production cases.
The simplest solution was to login under my Windows identity.
I am having some difficulty setting the permissions for the AppPoolIdentity correctly.
The error shown in the Failed Request Logs is:
ModuleName="IIS Web Core", Notification="BEGIN_REQUEST", HttpStatus="500", HttpReason="Internal Server Error", HttpSubStatus="0", ErrorCode="The I/O operation has been aborted because of either a thread exit or an application request.
(0x800703e3)", ConfigExceptionInfo=""
I believe this is a permissions issue because changing the AppPoolIdentity to LocalSystem for the Application Pool makes everything in the website work. When the AppPoolIdentity is set to ApplicationPoolIdentity the error shown above is what I receive. I have named the application pool identity using the following syntax:
IIS APPPOOL\<app_pool_name>
I have confirmed that:
I am using the correct app_pool_name when setting permissions. (Using check names when setting the permission works which means that Windows is finding the user.)
The wwwroot and the oracle client directory have permissions which allow the Application Pool identity to read and execute files.
Anonymous Authentication is enabled in IIS and is set to use the Application Pool Identity.
Do permissions need to be granted other directories that I have missed? Or is it some other problem that I am completely missing?
For some extra background I am using Windows Server 2008 R2 with IIS 7.5.
Thanks in advance!
EDIT:
I have done some tracing, thanks to the advice that Peter gave and found that I was missing some permissions. The permissions I was missing were:
Full Control to HKLM\SOFTWARE\Microsoft\SystemCertificates\
Full Control to
HKU{GUID}\Software\Policies\Microsoft\SystemCertificates\
Full Control to HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\
Read to HKLM\System\CurrentControlSet\services\eventlog\Security\
Full Control to C:\Windows\SysWOW64\config\systemprofile\AppData\
After modifying these permissions my application is now logging to the Windows Event Log with custom application errors. (Basically the custom application error is telling me that it was not able to establish a connection to the database.). Keep in mind if I run as LocalSystem and not the AppPoolIdentity user in IIS everything works. Using the Process Monitor again I found that the Oracle Client was logging to a sqlnet.log file. In this file it is showing:
Fatal NI connect error 12631, connecting to:
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=[DB IP ADDRESS])(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=[SERVICE NAME])(CID=(PROGRAM=C:\Windows\SysWOW64\inetsrv\w3wp.exe)(HOST=[WEB APPLICATION SERVER NAME])(USER=[APP POOL IDENTITY USER]))))
VERSION INFORMATION:
TNS for 32-bit Windows: Version 11.2.0.1.0 - Production
Windows NT TCP/IP NT Protocol Adapter for 32-bit Windows: Version 11.2.0.1.0 - Production
Time: 21-JUL-2015 16:28:00
Tracing not turned on.
Tns error struct:
ns main err code: 12631
TNS-12631: Username retrieval failed
ns secondary err code: 0
nt main err code: 0
nt secondary err code: 0
nt OS err code: 0
Any idea on why it is using the AppPoolIdentity as the user it is trying to connect with?
I have finally solved this issue.
In the EDIT made above I added the necessary permissions which solved issue number one.
In order to get this working I modified my SQLNET.ora file to look as the following:
# sqlnet.ora Network Configuration File: E:\Oracle_client\product\11.2.0.1\client_x32\network\admin\sqlnet.ora
# Generated by Oracle configuration tools.
#SQLNET.AUTHENTICATION_SERVICES= (NONE, NTS)
SQLNET.AUTHENTICATION_SERVICES= (NONE)
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
Note that the original SQLNET.AUTHENTICATION_SERVICES is now set to NONE only.
(I believe this change did not take affect immediately, but after a couple of minutes it did. Restarting the machine might be overkill, but sufficient).
I had also switched the AppPoolIdentity to LocalService and then back to AppPoolIdentity. After doing this it worked, but I don't think switching the AppPoolIdentity back-and-forth had any influence on getting it to work.
I have spent several days trying to get a "managed service account" set up on Windows Server 2012 for a .NET web app. Let's start with the error and work backwards.
I get the following events ever time I try to access a page on the web site where * is the name of my app pool:
Warning 5021 - The identity of application pool * is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.
Warning 5057 - Application pool * has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.
Error 5059 - Application pool * has been disabled. Windows Process Activation Service (WAS) encountered a failure when it started a worker process to serve the application pool.
~~~
While standing up a new server, I came across what appears to be an awesome feature which I had not used before:
http://technet.microsoft.com/en-us/library/dd548356%28v=ws.10%29.aspx
Since I am standing up a new app with a new database, this seemed like the perfect opportunity to take this for a drive!
I eventually figured out how to create the managed service account with the following power shell commands on a domain controller:
import-module activedirectory
new-ADServiceAccount -SAMACCOUNTname "SERVICE_ACCT$"
add-adComputerServiceAccount -Identity SERVER_NAME SERVICE_ACCT$
In the same powershell window, I can list services accounts for a given server with this powershell command:
get-ADComputerServiceAccount SERVER_NAME
And my managed service account is there! All good so far ...
I then had to modify our central group policy to include my service account for "Log on as batch job" and "Log on as service". These were under Polices\Windows Settings\Security Settings\Local Policies\User Rights Assignment on our domain controller (these were not editable on the local server as these were being pushed down).
After the changes and a coffee break, the rights show up on my server!
So now I have (1) created a managed service account which has (2) been granted access to a specific server and on that specific server (3) the service account has log on as batch job/service rights. I also (4) gave both the app pool and service account modify access to the web site folder.
I verified the site works with the default AppPoolIdentity account.
And ... I still get the errors above (which I have had during this whole process). I have to be missing something, but I just can find anything else to try!
Regards,
Cooter
I had to put this on the shelf for a while, but was eventually able to get this working. The most helpful resource I found was the following YouTube on MSAs.
http://www.youtube.com/watch?v=VNCGSQPhLuM
To summarize, there are quite a few requirements and steps
Domain Requirements:
Domain Function Level - Windows Server 2008R2+
Run ADPrep/ForestPrep
Client Requirements:
Windows Server 2008R2+
.Net Framework 3.5
Active Directory Module for Windows PowerShell (this gets installed with AD DS, but I was able to excluded all but the module during the process)
Supported Software:
IIS - yes (app pools)
SQL Server - no
On server where MSA is to be used, navigate to Server Manager - Features - Add features
Confirm 3.5 Framework installed
Confirm Active Directory Module for Windows PowerShell installed
On any server with AD administration tools, Via PowerShell: NOTE: My MSA is WorkProdDnnIIS and my host is WorkProd2012.
C:> import-module activedirectory
C:> New-ADServiceAccount -name WorkProdDnnIIS -enable $true
C:> Add-AdComputerServiceAccount -Identity WorkProd2012 -ServiceAccount WorkProdDnnIIS
On any server with AD administration tools, via AD Users and Computers
the new MSA should be listed under "Managed Service Accounts"
On server on which MSA is to be used, via PowerShell
C:> import-module activedirectory
C:> Install-AdServiceAccount -Identity WorkProdDnnIIS
On server on which MSA is to be used, via IIS Manager
Change App Pool identity (e.g. POWER\WorkProdDnnIIS$ - Dollar sign required on end, leave password blank)
Lastly, the local policy settings to allow "Log on as batch job" and "Log on on as service" are required for the MSA for IIS app pools. I would suspect that the Install-ADServiceAccount would do this, however these changes could not be made locally. I manually edited the group policy on a domain controller to achieve the same end result.
Regards,
Cooter
In the Sitecore (6.6 v130404) log file there are so many "Sitecore has no necessary permissions for reading/creating counters." records being created. I have disabled the performance counters in the server.
<!-- ENABLE COUNTERS
Indicates if performance counters are enabled.
Default value: true
-->
<setting name="Counters.Enabled" value="false"/>
Log extract: (For every 6seconds this keeps updating the log)
Heartbeat 19:07:33 WARN Sitecore has no necessary permissions for reading/creating counters.
Heartbeat 19:07:39 WARN Sitecore has no necessary permissions for reading/creating counters.
Heartbeat 19:07:45 WARN Sitecore has no necessary permissions for reading/creating counters.
Heartbeat 19:07:51 WARN Sitecore has no necessary permissions for reading/creating counters.
I have modified the following webconfig setting and set the value as 1hour, as the above log mentions that it's related to a heartbeat setting.
This solved the problem. I have Googled for any effects with this change in this setting, found no results on this. Is this ok to set this setting to 1hour? What is the purpose of this setting?
A Sitecore application pool user (most probably Network Service user) has to be a member of the system “Performance Monitor Users” group to have access to the mentioned registry key. Adding the user to this group and restarting IIS should solve the problem.
As explained in approved answer you need to add app pool user to performance monitor users and performance log users group.
To add your app pool user add iis apppool\{site name}.
You need to restart your machine again or alternatively restart your iis and log off and log in to make sure your changes got picked up by user group membership
Here are a few screenshots.
Powershell solution (works on Windows 10 Home, where you don't have lusrmgr.msc console).
Run PS console as administrator then:
PS C:\WINDOWS\system32>Add-LocalGroupMember -Group "Performance Monitor Users" -Member "{UserName}"
PS C:\WINDOWS\system32>iisreset
Where the {UserName} is your application pool identity user or Network Service.
Mind that group name may be different (it may be in your local language for non-english Windows version). Then call:
PS C:\WINDOWS\system32>Get-LocalGroup
This will list all groups and you will find correct name there.
I have a web site in ASP.NET 4 that need Connect to SQL Server 2008 R2 with Parallelism, Also Use IIS 7 and Windows authentication, I use Parallel.Foreach expression, When I use Foreach every thing is fine, but in Parallel.Foreach I get an error: Login failed for user: 'IIS APPPOOL\\MyAppPool'., So after some search I found need to change Process Model identity in Application pool From ApplicationPoolIdentity to LocalSystem:
Or I can add specific user:
But the last one is not a proper solution.
So I check in SQL SPs modified it and add line:
Then the result is: When I use foreach (mean without parallelism) all the registered user is MyLoginUser but with Parallel.foreach (And LocalSystem Identity) the first user registered is MyLoginUser and the others is NT Authority System.
Also I found Parallel Impersonation but not worked either and I got the same error.
As I understand MyLoginUser have not permission to Multi Connect to sql, Am I right?
if yes, so how can I add permission to this user?
In final I try to use ApplicationPoolIdentity and MyLoginUser to use Parallelism to connect to SQL. Does any one have any suggestion?
UPDATE:
I found that the first connection to db is the MyLoginUser then the ASP.NET try to connect more and let ApplicationPool do this, but the applicationpool can not login because have not permission and I also don't want to let it, the only user could connect must be myloginuser.
So the question could be:
How config IIS or ASP.NET to use myloginuser (the same of first user)
to connect with all connections to db (also in Parallel connections)?