ApplicationPoolIdentity in IIS7 401 errors [closed]

Asked 29/10, 2009 at 14:23 Answered 13/9, 2012 at 18:46

Solved iis-7 iis-7.5 http-status-code-401

We have just started to use Windows Server 2008 R2 and IIS7.5 and I'm trying to move some existing sites across from our Windows 2003 box. I can get the sites running ok but am getting 401 errors for all the CSS / Images in the sites. Granting Everyone read access will solve this - but I'm not very happy doing this.

I've read that IIS7.5 makes use of a magical new 'account' and each Application Pool has its own account.

So far I have

Created a new folder in wwwroot for my website (kbank)
Copied the files in from another machine
In IIS7 created a new website (not virtual directory), this created a new Application Pool with the same name as my website. This is an Integrated Pipeline pool
In Process Model / Identity this is using ApplicationPoolIdentity and Load User Profile is set to True
Granted IIS AppPool\kbank read access to the root of the folder

Can anyone tell me how best to set up my websites.

Reginaldreginauld answered 29/10, 2009 at 14:23 Comment(1)

thanks for providing the link for the "magical new account", that was exactly what i was looking for. – Hahnert 22/12, 2009 at 19:55

Maybe you are just missing a small step. When you granted the account read access, did you check that it replaced settings in all subdirectories. Also it may require an IIS reset after changing the access rights.

Fovea answered 30/10, 2009 at 12:36 Comment(3)

Hi Shiraz, Always worth checking these things, but no the permissions were updated on all subdirectories and a restart didn't make any difference. Simon – Reginaldreginauld 2/11, 2009 at 9:14

Why then was the answer accepted, pray tell? – Brownley 25/5, 2012 at 17:48

@Brownley resetting IIS didn't do the trick, but rebooting the server did. Quite a drastic step, not one I'm proud of, but that old IT adage of "Turn it off and on again" seems to have been the answer. Surely it shouldn't have been the case, but meh! – Reginaldreginauld 4/6, 2012 at 11:28

2008 R2 IIS 7.5

Just as an FYI. After rebuilding servers and spending endless hours troubleshooting a 401.3 error after changing the AppPool identity to a domain account, we came to find out that a GPO was killing IIS. Make sure you test with a server in the "Computer" container and that no GPO's are changing restricted groups outside of Administrators.

In our case, NT Authority\Authenticated Users was removed from the local USERS group and it broke IIS complete.

Sublimate answered 13/9, 2012 at 18:46 Comment(0)

I would check what is the exact status code of the 401 error IIS 7 Status Code Once you know the exact error code, it will be easy for to troubleshoot the exact issue is.
I would also run Process Monitor and see if there are any "ACCESS DENIED" using the Filter.

Regards,
Vivek.

Hermilahermina answered 4/11, 2009 at 18:51 Comment(1)

Hi Vivek I'm a bit lost - I've removed the everyone account and yet I'm now not getting 401 errors. I don't know whether there was a delay in the permissions being applied (though a restart should have dealt with that). Pleased that is resolved though! – Reginaldreginauld 9/11, 2009 at 11:18

Recommended topics

Hot tags