I am attempting to move a project forward using a local user account as the IIS app pool identity until domain trusts are established. I have tried everything I can think of to have a local user account run the app pool without a 503 on the first request. If I use my domain account, I have no problem.
If I use the IIS UI and attempt to add the user as the app pool Identity, I get an invalid password error, even though, I copy and pasted the password that was used to create the local user account and I know it is correct. The weird part is I can bind the use using the following script:
try
{
#WEB User Account- This will eventually be converted to a domain account
$username = "EUPOC_WebUser"
$password = ConvertTo-SecureString "astronGpassword" -AsPlainText -Force
#Remove-LocalUser -Name $username -ErrorAction Ignore | Out-Null
#New-LocalUser -Name $username -Description 'For SSRS.' -Password $password -PasswordNeverExpires -AccountNeverExpires | Out-Null
Remove-WebAppPool -Name "Test2"
Remove-WebSite -Name "Test2"
$newAppPool = "Test2"
$newAppPool = New-WebAppPool -Name $appPoolName -Force
$newAppPool.autoStart = "true"
$newAppPool.managedRuntimeVersion = $runTimeVersion
$newAppPool.managedPipelineMode = $pipelineMode
if ($enabled32BitApps -eq "true")
{
$newAppPool.enable32BitAppOnWin64 = "$enabled32BitApps"
}
if ($false -eq [System.String]::IsNullOrWhiteSpace($userName))
{
$newAppPool.ProcessModel.userName = "$username"
$newAppPool.ProcessModel.password = "$password"
$newAppPool.ProcessModel.identitytype = 3
}
$newAppPool |Set-Item | Out-Null
Write-Host "Create app-pool $appPoolName";
New-WebSite -Name "Test2" -Port 80 -PhysicalPath "C:\WebApps\Test" -ApplicationPool "Test2" -Force | Out-Null
}catch{}
I have added the user to these security policies:
- Log on as a service
- Log on as a batch job
I have added the user as a member of:
- IIS_IUSRS
- Administrators
The website only contains an hello.html web page and I have tried all combinations of app pool configurations.
I am starting to think there maybe a corporate policy preventing me from doing this. Would this be a common thing corporate would not allow and if so is there a way to visibly check or do I need to ping a SecOps manager?