Apr 26, 2012
tom

Why doesn’t shared config on IIS 7.5 replicate app pool identity SIDs?

Question

We have an IIS 7.5 server farm set up using shared config. The config files were exported to a network share accessible to both machines. We know the shared config is working because everything is synched — new sites, site bindings, URL rewrite rules — everything except the app pool identity SIDs.

Creating an app pool in IIS 7.5 triggers the creation of a new app pool identity with a SID beginning with S-1-5-82 (more info). With shared config enabled, the app pool shows up on both nodes because it’s stored in ApplicationHost.config, but its corresponding SID is only created on the node where I went through the “Add Application Pool” process.

I can open Computer Management on the first node and see the app pool identity in the IIS_IUSRS group. However, on the other node, this group is empty.

Is this a bug in IIS, or did we do something wrong with our shared config?

Update: The IIS_IUSRS group is inconsequential. The manifestation of the issue is that I can assign file permissions to the app pool identity on one node but not the other. It’s similar to the topic of this question, but running IISRESET doesn’t fix it on the second node.

Asked by MALfunction84

Answer

The problem was with the User Profile Service. Shared Config synchronizes the app pools across IIS nodes, and that was working as expected. Normally, the User Profile Service is responsible for creating the user accounts that correspond to the App Pool identities when a new app pool is created. In this case, it was failing.

Restarting the User Profile Service fixed the problem. It is now creating the user accounts when a new app pool is added locally or remotely.

Answered by MALfunction84

No related posts.

Leave a comment