locked
Server 2012 / IIS 8 - 503 Service Unavailable + AppPool Stops (same old thing...) RRS feed

  • Question

  • User747928573 posted

    Hi all -

    I am new to these forums and pretty desperate! I have a custom built (but not by me!) application that runs under IIS. I have deployed it numerous times in various ways, with little to no trouble ever. This time, however, it's got me stumped.

    The application runs under a specific, limited domain user and connects to a back-end SQL database. In this particular instance, setting the ApplicationPool to run as that user seems to work, but upon accessing the site I get a 503 and then the application pool stops. As a troubleshooting step, I changed the identity to NetworkService - this results in the site working, although it fails to connect to the database (as one would expect). So, the answer seems to be a permissions issue - something the service account lacks that the NetworkService account has.

    The error returned in Event Log (WAS error) suggests the problem is the service account needs the "log on as a batch job" right, but I don't really understand why, nor why this has never been a concern in the past. I have very few deployments on 2012 - everything else is 2008/2008R2 or 2016. Maybe a quirk there? In any case, I'm hesitant to add rights to this user... all it should be able to do is run an app pool and connect to a specific database. 

    Can anyone think of something I have overlooked? Any help is appreciated.

    Edit: I will add I am as close to certain as I can be it's not a credentials issue - changing the password to random characters (ie, an incorrect password) changes the logged error to reference invalid credentials.

    Friday, July 26, 2019 3:15 PM

All replies

  • User-848649084 posted

    Hi,

    Restart the application pool and try again to access the site. if it still crashes then check the event error log and shares the snapshot of the event error log what causes the issue for crash the application pool. 

    Monday, July 29, 2019 7:50 AM
  • User690216013 posted

    https://support.microsoft.com/en-ca/help/981949/description-of-default-permissions-and-user-rights-for-iis-7-0-and-lat

    Ask your domain administrators to help, as "log on as a batch job" should come from IIS_IUSRS (pool identities are automatically enrolled to this group). There must be something wrong on this server preventing that group from working.

    Tuesday, July 30, 2019 2:33 AM
  • User747928573 posted

    Hi,

    Restart the application pool and try again to access the site. if it still crashes then check the event error log and shares the snapshot of the event error log what causes the issue for crash the application pool. 

    Thanks for the reply. As mentioned in the OP, the app pool starts every time, but crashes immediately upon someone accessing the site. The error in event log is "WAS error" and the test suggests either invalid credentials (demonstrably incorrect) or the account needs the "log on as a batch job" permission... which is the problem. I'm trying to determine why an app pool service account would need this permission, and if there is a way around it.

    Thursday, August 1, 2019 10:57 PM
  • User747928573 posted

    https://support.microsoft.com/en-ca/help/981949/description-of-default-permissions-and-user-rights-for-iis-7-0-and-lat

    Ask your domain administrators to help, as "log on as a batch job" should come from IIS_IUSRS (pool identities are automatically enrolled to this group). There must be something wrong on this server preventing that group from working.

    Yes, this makes sense...  however I cannot run this app pool as IUSRS since it needs Windows Credentials-based access to a SQL server. As far as I know, IUSRS cannot function in this capacity. As a result, the app pool is run under a service account that can perform this function. Basically, I am trying to get a domain-wide AD account with a minimal set of permissions necessary to run as an app pool identity. I think. :)

    (I am the domain admin, so I can do whatever I want! :)

    Thursday, August 1, 2019 11:00 PM
  • User690216013 posted

    You'd better open a support case via http://support.microsoft.com to consult Microsoft AD experts directly. Your description above shows limited understanding of Windows accounts/groups, so you do need some guidance on that part.

    Friday, August 2, 2019 5:10 AM
  • User747928573 posted

    So you are aware of how to get UI/shell access to an IUSRS account safely? I was under the impression this was not possible (and rather the point of the IUSRS account in the first place). Perhaps you could point me to a reference? 

    Friday, August 2, 2019 3:36 PM
  • User-848649084 posted

    Hi,

    Could you share under which identity your application pool is running?

    Monday, August 5, 2019 3:07 AM