I'm trying to set a Domain User account as ApplicationPool Identity in IIS 8 (Windows 2012). When trying this using the IIS Management Console I always get an error:
Value does not fall within the expected range.
When trying to set the identity using appcmd.exe it fails on both the command setting the username and password or the command only setting the password. Setting the username is no problem.
Trying to set both the username and password [FAIL]:
>appcmd set config /section:applicationPools /[name='AppPoolName'].processModel.identityType:SpecificUser /[name='AppPoolName'].processModel.userName:DOMAIN\Username /[name='AppPoolName'].processModel.password:P4ssW0rd
Applied configuration changes to section "system.applicationHost/applicationPools" for "MACHINE/WEBROOT/APPHOST" at configuration commit path "MACHINE/WEBROOT/APPHOST"
ERROR ( hresult:80070057, message:Failed to commit configuration changes. The parameter is incorrect. )
Trying to set only the username [SUCCESS]:
>appcmd set config /section:applicationPools /[name='AppPoolName'].processModel.identityType:SpecificUser /[name='AppPoolName'].processModel.userName:DOMAIN\Username
Applied configuration changes to section "system.applicationHost/applicationPools" for "MACHINE/WEBROOT/APPHOST" at configuration commit path "MACHINE/WEBROOT/APPHOST"
Trying to set the password after successfully setting the username [FAIL]:
>appcmd set config /section:applicationPools /[name='AppPoolName'].processModel.identityType:SpecificUser /[name='AppPoolName'].processModel.password:P4ssW0rd
Applied configuration changes to section "system.applicationHost/applicationPools" for "MACHINE/WEBROOT/APPHOST" at configuration commit path "MACHINE/WEBROOT/APPHOST"
ERROR ( hresult:80070057, message:Failed to commit configuration changes. The parameter is incorrect. )
I added the Domain User to the IIS_IUSRS group and allowed it to "Log on as a service".
Any suggestions what I might be doing wrong?
As per How do you setup an IIS Web App so it can access a network share without an AD?
I had the same problem but couldn't let the password in clear text so I dig a little further and found this article: Custom IIS App Pool Identity: Value does not fall within the expected range
The key step to diagnose is to look at the right events :
I had the same event errors as in the article :
Then I did the following :
c:\windows\System32\inetsrv\config)<configProtectedData><providers>section by an old one (inc:\windows\System32\inetsrv\config\applicationHost.config)Then I can again set a custom identity to the application pool.
You can grab the private key from another server and simply import it in to this server by first exporting a key from another IIS server that works: C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis -px "iisWasKey" "C:\temp\AESKeys.xml" -pri
Second you can restore that key on the broken machine (copy the key to the other server and put it in the same place): C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis -pi "iisWasKey" "C:\temp\AESKeys.xml"
Third you edit the c:\windows\system32\inetsrv\applicationhost.config and use the configprotecteddata section from the known working server to use in place of the one already in this file.
It would look like this section:
If all goes well you can then test it out by creating an application pool and then go to advanced settings and run it as DOMAIN\user or some other user that it needs to be.
Tony Trus
Check the bindings for the applications that is configured on this application pool, if they have any incorrect bindings eg. invalid characters, space and so on.
Source
I have also run into this problem in Windows Server 2012.
If you remove the last parameter when using appcmd, the password, you will succeed changing identity type and setting the username.
I did never figure out why I could not set the password so I retorted to editing my applicationHost.config file directly. Unfortunately with the the password is in clear text.
In addition to configuring the app pool to use a specific account I also did the following:
1) Included the account in the IIS_IUSRS group that indirectly gives it Logon as Batch Job rights.
2) Run the following command to grant rights to the user
See more: How To: Create a Service Account for an ASP.NET 2.0 Application (MSDN)
3) Restarted WAS and IIS to make sure the changes to the accounts group membership takes hold.
Try changing
/section:applicationPoolsto/section:system.applicationHost/applicationPoolsand adding/commit:apphostto the end