6

I'm trying to set a Domain User account as ApplicationPool Identity in IIS 8 (Windows 2012). When trying this using the IIS Management Console I always get an error:

Value does not fall within the expected range.

When trying to set the identity using appcmd.exe it fails on both the command setting the username and password or the command only setting the password. Setting the username is no problem.

Trying to set both the username and password [FAIL]:

>appcmd set config /section:applicationPools /[name='AppPoolName'].processModel.identityType:SpecificUser /[name='AppPoolName'].processModel.userName:DOMAIN\Username /[name='AppPoolName'].processModel.password:P4ssW0rd
Applied configuration changes to section "system.applicationHost/applicationPools" for "MACHINE/WEBROOT/APPHOST" at configuration commit path "MACHINE/WEBROOT/APPHOST"
ERROR ( hresult:80070057, message:Failed to commit configuration changes. The parameter is incorrect. )

Trying to set only the username [SUCCESS]:

>appcmd set config /section:applicationPools /[name='AppPoolName'].processModel.identityType:SpecificUser /[name='AppPoolName'].processModel.userName:DOMAIN\Username
Applied configuration changes to section "system.applicationHost/applicationPools" for "MACHINE/WEBROOT/APPHOST" at configuration commit path "MACHINE/WEBROOT/APPHOST"

Trying to set the password after successfully setting the username [FAIL]:

>appcmd set config /section:applicationPools /[name='AppPoolName'].processModel.identityType:SpecificUser /[name='AppPoolName'].processModel.password:P4ssW0rd
Applied configuration changes to section "system.applicationHost/applicationPools" for "MACHINE/WEBROOT/APPHOST" at configuration commit path "MACHINE/WEBROOT/APPHOST"
ERROR ( hresult:80070057, message:Failed to commit configuration changes. The parameter is incorrect. )

I added the Domain User to the IIS_IUSRS group and allowed it to "Log on as a service".

Any suggestions what I might be doing wrong?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Niels R.
  • 233
  • 2
  • 5
  • 11

5 Answers5

2

As per How do you setup an IIS Web App so it can access a network share without an AD?

I had the same problem but couldn't let the password in clear text so I dig a little further and found this article: Custom IIS App Pool Identity: Value does not fall within the expected range

The key step to diagnose is to look at the right events :

To figure out how to resolve this, I went into the event viewer. There was nothing in the Application log, so I headed down to Applications and Services Logs => Microsoft => Windows => IIS-Configuration. The logs in here are disabled by default, so they have to be enabled. (To do so, right click the log, and choose Enable log.) Once enabled, re-run the attempt to set the identity, and refresh the view (Actions pane or F5), and voila!, now we have some more information on the error. In the results were two Errors (event ID 42 and 43).

I had the same event errors as in the article :

ID 42: Failed to initialize the 'IISWASOnlyAesProvider' encryption provider in '\?\C:\windows\system32\inetsrv\config\applicationHost.config'. Please check your configuration.

ID 43: Failed to encrypt attribute 'Microsoft.ApplicationHost.AesProtectedConfigurationProvider'.

Then I did the following :

  • restore an old version of the ConfigEncKey.key file (to c:\windows\System32\inetsrv\config )
  • replace the <configProtectedData><providers> section by an old one (in c:\windows\System32\inetsrv\config\applicationHost.config )

Then I can again set a custom identity to the application pool.

Community
  • 1
Benjamin Baumann
  • 166
  • 5
1

You can grab the private key from another server and simply import it in to this server by first exporting a key from another IIS server that works: C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis -px "iisWasKey" "C:\temp\AESKeys.xml" -pri

Second you can restore that key on the broken machine (copy the key to the other server and put it in the same place): C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis -pi "iisWasKey" "C:\temp\AESKeys.xml"

Third you edit the c:\windows\system32\inetsrv\applicationhost.config and use the configprotecteddata section from the known working server to use in place of the one already in this file.

It would look like this section:

If all goes well you can then test it out by creating an application pool and then go to advanced settings and run it as DOMAIN\user or some other user that it needs to be.

Tony Trus

Tony Trus
  • 11
  • 1
0

Check the bindings for the applications that is configured on this application pool, if they have any incorrect bindings eg. invalid characters, space and so on.

Source

MichelZ
  • 11,008
  • 4
  • 30
  • 58
  • There are no applications assigned to the application pool. I created a new application pool to avoid problems with wrongly configured applications assigned to it. – Niels R. Sep 09 '13 at 07:06
0

I have also run into this problem in Windows Server 2012.

If you remove the last parameter when using appcmd, the password, you will succeed changing identity type and setting the username.

I did never figure out why I could not set the password so I retorted to editing my applicationHost.config file directly. Unfortunately with the the password is in clear text.

<configuration>
   ...
    <system.applicationHost>
        <applicationPools>
            ...
            <add name="test-pool" managedRuntimeVersion="v4.0">
                <processModel identityType="SpecificUser" 
                  userName="MyAccountName" password="P@ssw0rd" />
            </add>
            ...
        </applicationPools>
        ...
    </system.applicationHost>
    ...
</configuration>

In addition to configuring the app pool to use a specific account I also did the following:

1) Included the account in the IIS_IUSRS group that indirectly gives it Logon as Batch Job rights.

2) Run the following command to grant rights to the user

aspnet_regiis -ga <your_app_pool_user>

See more: How To: Create a Service Account for an ASP.NET 2.0 Application (MSDN)

3) Restarted WAS and IIS to make sure the changes to the accounts group membership takes hold.

C:> net stop was /y
C:> net start w3svc
Fredrik Haglund
  • 146
  • 4
0

Try changing /section:applicationPools to /section:system.applicationHost/applicationPools and adding /commit:apphost to the end

appcmd set config /section:system.applicationHost/applicationPools /[name='AppPoolName'].processModel.identityType:SpecificUser /[name='AppPoolName'].processModel.password:P4ssW0rd /commit:apphost

Todd Smith
  • 200
  • 3
  • 8