Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Application pool doesn't start with domain account

296 views
Skip to first unread message

Davide

unread,
Aug 5, 2005, 4:46:10 AM8/5/05
to
Hi,
I have a network of 3 server ( windows 2003 server ) : A, B, C

A is e domain controller with active directory

B is a server of domain where is installed IIS 6.0

I Would like to start an application pool over a WebSite of B with an
identity of domain and not as "Network Service"

So, I created an user on active directory ( _usrsvc ) that's member of
Administrator of domain, of Domain Admins, of Domain Users and of
IIS_WPG, but when I start up the website I receive this message in
event viewer :

"The identity of application pool 'SmartAppPool' is invalid, so the
World Wide Web Publishing Service can not create a worker process to
serve the application pool. Therefore, the application pool has been
disabled."

What permission user of domain must have to start application pool?!
Thank and sorry for my English ;)


David Wang [Msft]

unread,
Aug 5, 2005, 5:26:54 AM8/5/05
to
Open secpol.msc, and make sure _usrsvc has at least the same privileges as
"Network Service" on machine B. Also make sure you do not have silly group
policy disallowing _usrsvc to be logged on or functioning on server B.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Davide" <18277i...@mynewsgate.net> wrote in message
news:200508050...@mynewsgate.net...

Paul Williams [MVP]

unread,
Aug 5, 2005, 6:12:54 AM8/5/05
to
Cross-posting into the IIS group for additional help...

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

Ken Schaefer

unread,
Aug 10, 2005, 10:18:35 PM8/10/05
to
- Ensure that the username/password are supplied correctly in the Web App
Pool properties dialogue
- Ensure that the user account in question has the following NT rights on
the IIS box:

- Replace a Process Level Token (SeAssignPrimaryTokenPrivilege)
- Adjust Memory Quotas for a process (SeIncreaseQuotaPrivilege)
- Generate Security Audits (SeAuditPrivilege)
- Bypass Traverse Checking (SeChangeNotifyPrivilege)
- Access this computer from a network (SeNetworkLogonRight)
- Logon as a Batch Job (SeBatchLogonRight)
- Logon as a Service (SeInteractiveLogonRight)
- Allow Logon Locally (SeInteractiveLogonRight)

(those are the rights that Network Service has by default, so that should be
enough for a custom account)

Cheers
Ken

--
IIS Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com


"Paul Williams [MVP]" <ptw...@hotmail.com> wrote in message
news:exqofVam...@TK2MSFTNGP10.phx.gbl...
: Cross-posting into the IIS group for additional help...

:
:
:
:


John Bailey

unread,
Aug 15, 2005, 10:41:10 AM8/15/05
to
I have the same issue. I set the permissions you specified for the domain
account, but am still getting the same error.

David Wang [Msft]

unread,
Aug 15, 2005, 2:08:41 PM8/15/05
to
You're in a domain, so local policy can be overridden by group policy higher
up in the domain.

Please ensure that your domain user's resultant privileges actually matches
the privileges for "Network Service".

Just about all of the causes of this issue that I have seen are caused by
either:
1. you have a locked-down group policy coming from somewhere in the domain
2. you tweaks privileges/local policy on the machine

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"John Bailey" <JohnB...@discussions.microsoft.com> wrote in message
news:52CDF1B2-218F-4BC8...@microsoft.com...

0 new messages