0

I am attempting to move a project forward using a local user account as the IIS app pool identity until domain trusts are established. I have tried everything I can think of to have a local user account run the app pool without a 503 on the first request. If I use my domain account, I have no problem.

If I use the IIS UI and attempt to add the user as the app pool Identity, I get an invalid password error, even though, I copy and pasted the password that was used to create the local user account and I know it is correct. The weird part is I can bind the use using the following script:

try 
{       
  #WEB User Account- This will eventually be converted to a domain account 
  $username = "EUPOC_WebUser"
  $password = ConvertTo-SecureString "astronGpassword" -AsPlainText -Force

  #Remove-LocalUser -Name $username -ErrorAction Ignore | Out-Null
  #New-LocalUser -Name $username -Description 'For SSRS.' -Password $password -PasswordNeverExpires -AccountNeverExpires | Out-Null

  Remove-WebAppPool -Name "Test2"
  Remove-WebSite -Name "Test2"  

  $newAppPool = "Test2"
  $newAppPool = New-WebAppPool -Name $appPoolName -Force
  $newAppPool.autoStart = "true"
  $newAppPool.managedRuntimeVersion = $runTimeVersion
  $newAppPool.managedPipelineMode = $pipelineMode
  if ($enabled32BitApps -eq "true")
  {
       $newAppPool.enable32BitAppOnWin64 = "$enabled32BitApps"
  }
  if ($false -eq [System.String]::IsNullOrWhiteSpace($userName))
  {
      $newAppPool.ProcessModel.userName = "$username"
      $newAppPool.ProcessModel.password = "$password"
      $newAppPool.ProcessModel.identitytype = 3        
  }
  $newAppPool |Set-Item | Out-Null

  Write-Host "Create app-pool $appPoolName";
  New-WebSite -Name "Test2" -Port 80 -PhysicalPath "C:\WebApps\Test" -ApplicationPool "Test2" -Force | Out-Null
}catch{}

    I have added the user to these security policies:

  • Log on as a service
  • Log on as a batch job

I have added the user as a member of:

  • IIS_IUSRS
  • Administrators

The website only contains an hello.html web page and I have tried all combinations of app pool configurations.

I am starting to think there maybe a corporate policy preventing me from doing this. Would this be a common thing corporate would not allow and if so is there a way to visibly check or do I need to ping a SecOps manager?

Improve this question
1
  • I’m not an IIS expert by any means, but isn’t it a terrible idea to have an app pool user be an administrator on the machine? Second: if it does work with PowerShell, isn’t that enough to start with?
    – Mikael H
    4 hours ago

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .