Unable to set password in IIS 8 for Domain User as ApplicationPool Identity

iis iis-8

I'm trying to set a Domain User account as ApplicationPool Identity in IIS 8 (Windows 2012). When trying this using the IIS Management Console I always get an error:

Value does not fall within the expected range.

When trying to set the identity using appcmd.exe it fails on both the command setting the username and password or the command only setting the password. Setting the username is no problem.

Trying to set both the username and password [FAIL]:

>appcmd set config /section:applicationPools /[name='AppPoolName'].processModel.identityType:SpecificUser /[name='AppPoolName'].processModel.userName:DOMAIN\Username /[name='AppPoolName'].processModel.password:P4ssW0rd
Applied configuration changes to section "system.applicationHost/applicationPools" for "MACHINE/WEBROOT/APPHOST" at configuration commit path "MACHINE/WEBROOT/APPHOST"
ERROR ( hresult:80070057, message:Failed to commit configuration changes. The parameter is incorrect. )

Trying to set only the username [SUCCESS]:

>appcmd set config /section:applicationPools /[name='AppPoolName'].processModel.identityType:SpecificUser /[name='AppPoolName'].processModel.userName:DOMAIN\Username
Applied configuration changes to section "system.applicationHost/applicationPools" for "MACHINE/WEBROOT/APPHOST" at configuration commit path "MACHINE/WEBROOT/APPHOST"

Trying to set the password after successfully setting the username [FAIL]:

>appcmd set config /section:applicationPools /[name='AppPoolName'].processModel.identityType:SpecificUser /[name='AppPoolName'].processModel.password:P4ssW0rd
Applied configuration changes to section "system.applicationHost/applicationPools" for "MACHINE/WEBROOT/APPHOST" at configuration commit path "MACHINE/WEBROOT/APPHOST"
ERROR ( hresult:80070057, message:Failed to commit configuration changes. The parameter is incorrect. )

I added the Domain User to the IIS_IUSRS group and allowed it to "Log on as a service".

Any suggestions what I might be doing wrong?


Solution 1:

As per How do you setup an IIS Web App so it can access a network share without an AD?

I had the same problem but couldn't let the password in clear text so I dig a little further and found this article: Custom IIS App Pool Identity: Value does not fall within the expected range

The key step to diagnose is to look at the right events :

To figure out how to resolve this, I went into the event viewer. There was nothing in the Application log, so I headed down to Applications and Services Logs => Microsoft => Windows => IIS-Configuration. The logs in here are disabled by default, so they have to be enabled. (To do so, right click the log, and choose Enable log.) Once enabled, re-run the attempt to set the identity, and refresh the view (Actions pane or F5), and voila!, now we have some more information on the error. In the results were two Errors (event ID 42 and 43).

I had the same event errors as in the article :

ID 42: Failed to initialize the 'IISWASOnlyAesProvider' encryption provider in '\?\C:\windows\system32\inetsrv\config\applicationHost.config'. Please check your configuration.

ID 43: Failed to encrypt attribute 'Microsoft.ApplicationHost.AesProtectedConfigurationProvider'.

Then I did the following :

  • restore an old version of the ConfigEncKey.key file (to c:\windows\System32\inetsrv\config )
  • replace the <configProtectedData><providers> section by an old one (in c:\windows\System32\inetsrv\config\applicationHost.config )

Then I can again set a custom identity to the application pool.

Solution 2:

You can grab the private key from another server and simply import it in to this server by first exporting a key from another IIS server that works: C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis -px "iisWasKey" "C:\temp\AESKeys.xml" -pri

Second you can restore that key on the broken machine (copy the key to the other server and put it in the same place): C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis -pi "iisWasKey" "C:\temp\AESKeys.xml"

Third you edit the c:\windows\system32\inetsrv\applicationhost.config and use the configprotecteddata section from the known working server to use in place of the one already in this file.

It would look like this section:

If all goes well you can then test it out by creating an application pool and then go to advanced settings and run it as DOMAIN\user or some other user that it needs to be.

Tony Trus

Related

Simultaneous IKEv1 and IKEv2 connection support in Strongswan
inconsistency between du -sh and df -h
LACP with 2 NICs working when either one is down, not when both are up
AWS Linux EC2: yum won't run with plugins
How does folder redirection remember the previous location of a folder?
Reinserted a RAID disk. Defined as foreign. Is import or clear the correct choice?
Remove MySQL ibdata1 without dumping and restoring existing proper databases
/usr/bin/host being used in HTTP DDoS on Debian? [duplicate]
CentOS Tuned Equivalent For Debian
Using FreeIPA for centralized sudo - using SSSD for sudoers
Using dd on disks with different sector sizes
How to reference an NFS share by UUID in the client's /etc/fstab