Saturday, 21 December 2013

Effect of Security Policy Change on application pool in IIS

Last week one of our internal application hosted on IIS and communicating with AX through BC.NET stopped working suddenly. The person responsible for looking after the application suspected it was integration with AX that was causing the issue. We started looking into it and soon realised that it was not an AX issue. The application pool started fine but as soon as we accessed the application in a browser the application pool stopped. In the windows event log on the server hosting IIS we found the following entries

The identity of application pool WhouseAppPool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request.  If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.

Application pool WhouseAppPool has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.

Application pool WhouseAppPool has been disabled. Windows Process Activation Service (WAS) encountered a failure when it started a worker process to serve the application pool.

The error message provided us with the hint. The password under which the pool is running was correct and was not expired. Then we checked for "batch logon rights" as mentioned in the error. This can be checked from

Control Panel\All Control Panel Items\Administrative Tools\Local Security Policy

Usually this policy is configured locally and the IIS_ISURS group is added to the policy. In our case the policy was overridden from the domain due to an admin error. Correcting the error removed the overriding policy and restored local configuration for the policy. This is how it usually looks like

After this change the site started working.

This posting is provided "AS IS" with no warranties. Use code at your own risk.

No comments:

Post a Comment