We are recently observing a very weird issue in IIS. This is the new Windows 2012 R2. We have installed all the component of IIS and trying to host default website on port 80.
Whenever we are trying to access the default web page of IIS, I am seeing "HTTP Error 503. The service is unavailable" error. While troubleshooting more, have observed that IIS Application pool is getting stopped and in the event logs we are seeing following error.
"The identity of application pool DefaultAppPool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives it first request"
DefaulAppPool identity is ApplicationPoolIdentity.
As of now tried with following options but no luck. Note that same configuration is working on another server and I am unable to find out any difference on both the servers. IIS version is 8.5
Logon batch rights provided to IIS AppPool\DefaultAppPool as well as for IIS_IUSRS
Executed aspnet_regiis -ga "IIS AppPool\DefaultAppPool" for .NET folders
Full rights of WebSite root directory to IIS AppPool\DefaultAppPool
Reinstallation of IIS
Load User Profile : False / True with ApplicationPoolIdentity
Force update of Group policy post changin logon batch through gpupdate /force
Full Control to
a) HKLM\SOFTWARE\Microsoft\SystemCertificates\
b) HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\
c) HKLM\System\CurrentControlSet\services\eventlog\Security\
d) access to C:\Windows\SysWOW64\config\systemprofile\AppData\
Do anyone have any idea in this?
Related
Context: Windows Server 2012 R2 (Azure VM)
IIS: 8.5
The CGI application is a 32bit EXE. It calls the MSScript object to evaluate a JScript script. The JScript attempts to instantiate InternetExplorer.Application. The attempt fails consistently with an permissions error 70.
What is the reason for this and what must I do to get it working? If it really is a permissions error, which permissions need to be adjusted?
MORE DETAIL
This is from the Event Viewer (Local), System tab in Windows Logs:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0002DF01-0000-0000-C000-000000000046}
and APPID
{E4803A36-7232-4AC0-A6AF-29D59EBCC303}
to the user NT AUTHORITY\IUSR SID (S-1-5-17) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
YET MORE
A posting on Answers suggests changing the owner of IE from Trusted Installer to Administrator. Is this the answer for me?
In the past when I have seen this the issue was the Application Pool I was using was not correctly set to enable the 32-bit Application. Once this was modified, going to the advanced settings of the App Pool, it resolved my issue. I am not sure if the application you are running is dependent upon the App Pool but that is where I would start looking.
can anyone please tell me whether a asp.net mvc 5 web application can be hosted on IIS 7.5?seems has this issue:HTTP Error 503.
and the IIS application pool was stopped when request this web.
it's very strange,when I change website application pool named "A" to another named "B"("B" is an app pool for an asp.net mvc4 web application), then the site run well."A" is the same setting as "B".not really know what had happened.is related section of the web.config ?please help.
I had the same problem and found it was caused by permission problems creating the user profile in C:\Users. I gave ApplicationPoolIdentity full permissions to the C:\Users folder, started the site and everything worked, the profile must have been created properly, and my site worked as it should. I then removed access to C:\Users from ApplicationPoolIdentity.
Site wont start on local using ApplicationPoolIdentity, only when using NetworkService: "HTTP Error 503. The service is unavailable."
I am tasked to change the user for IIS Admin, WWW publishing service, and HTTP SSL windows services for IIS6 (Windows 2003).
It works perfectly with Local System account (by default the selection with this fresh instance of Windows 2003) - but I have to change the user - not negotiable for me unfortunately as it is a must do instruction from my boss to me.
The user Im trying to set it to e.g. UserABC is on the Server and is the Log On for other services which execute without problems.
So first I tried setting the Log On for HTTP SSL but received the error:
"Error 1079 : the account specified for this service is different from the account specified for other services running in the same process".
Now when I looked at the dependencies I saw that WWW publishing service is dependent on HTTP SSL.
So I tried setting the Log on for WWW publishing service, but got the error:
"Could not start the WWW Publishing service on local computer"
"Error 5: Access is denied"
Now I tried setting the user for IIS admin, but received the error:
"Could not start the IIS admin service on local computer: Error 1068 : The dependency service or group failed to start"
Any advice please on how I can change the user log on for these services? The instance of IIS is working fine and its just the password that I need to set. Are there folders which I have to assign rights to for UserABC perhaps? Something else I'm missing?
The other forums on the web suggest things like deleting "MetaBase.bin", or running MS fix: http://support.microsoft.com/kb/827328 but this will not work for me on this new server - but I do not want to muck around with this please.
Thank you
Ok I'm stumped. I've configured an IIS 6 website with its own App Pool, which has its own AD domain credential. When I attempt to browse the site, I see a page that simply says "Access is denied.". There is no error code or information in Event Logs.
I am able to open Notepad with the app pool account credentials (and open the html file I'm trying to browse).
If I add the app pool's domain account to the local administrators group, the site loads. However, this is not acceptable for our environment.
I have successfully configured this site on two servers (that are supposed to be identical in a load-balanced pair). However, try as I might, I can't find any difference between these two servers' configurations.
Is your pool identity present in the local group IIS_WPG ?
This group ensure the Worker Process will have the required privileges to run correctly.
Also, your WebSite root folder must have Read permissions for IIS_WPG, which is the case if your root is in Inetpub\wwwroot.
Same for C:\WINDOWS\Microsoft.NET\Framework\vx.x.x.x\Temporary ASP.NET Files + Write, if you run ASP.NET WebSites.
FYI, in IIS 7, the group is now known as IIS_IUSRS.
Default permissions and user rights for IIS 6.0
Configuring Application Pool Identity in IIS 6.0
I reinstalled IIS 6 and the error has gone away. After reinstalling IIS, I had to reinstall .NET 4 as well.
Thank you very much for your suggestions and advice though!
I'm running win server 2008 R2 with IIS 7.5
I have an application under a website that only has anonymous authentication enabled.
The application points to a shared UNC drive.
I've created a IUSRDomain Domain account and both servers are on the same domain.
The application pool Identity is using the IUSRDomain account.
the UNC Share and File permission both give full control to the IUSRDomain account.
However when i try to make any changes to the IIS application settings, i get an error message that says:
There was an error while performing
this operation.
Filename: \?\UNC\\share\webapp\web.config Error:
Cannot write configuration file due to
insufficient permissions
And when i try to browse an html test page i get:
401 - Unauthorized: Access is denied
due to invalid credentials. You do not
have permission to view this directory
or page using the credentials that you
supplied.
IIS log file says:
/webapp/test.html - 80 -
xxx.xxx.xxx.xxx
Mozilla/5.0+(Windows;+U;+Windows+NT+6.1;+en-US)+AppleWebKit/534.7+(KHTML,+like+Gecko)+Chrome/7.0.517.44+Safari/534.7 401 3 1326 22
Edit: Also i have other applications under the same website that are configured the same way and work fine.
You need to be sure that the account that is used to connect to the UNC path has write access to the web.config file on the network share.
IIS7 configuration saves/updates information to the web.config file, thus the error message.
Also, if your application needs to run in full trust, you will want to use CASPOL to modify the trust permissions to allow your app to run in full trust. (.NET 2.0)