App Pools now only run NT AUTHORITY accounts, no local or domain

We've had a problem crop up on one of our development Servers running IIS.
Any App Pool that has its Identity set to an account that is not an NT
AUTHORITY (Network Service, Local Service or Local System) account will
result in the App Pool failing and returning a 503 Service Unavailable. All
local and domain accounts that are being used as the Identity for App Pools
are members of the IIS_WPG group and had been working as of last week.

I've run IISRESET, reset the App Pools to make sure they had the correct
credentials.

I've tried running IISState and Windows Debugger to catch errors but haven't
been able to capture anything of value using either tool.

Anyone seen anything like this or have any suggestions?

Thanks,

Chris

Re: App Pools now only run NT AUTHORITY accounts, no local or domain

Chris,

For AppPool accounts other then the default ones, add these accounts
to the local group IIS_WPG.
In addition, set the ACL'ing of the physical files with (R)ead and
(E)xecute access for the new account, or the IIS_WPG itself.

I think you may be having issues on the 2nd step (ACL'ing) if files/
folders have been added to the WebApp.

There are a few techniques you can use:
- Look into C:\WINDOWS\system32\Logfiles\HTTPERR to view AppPool
issues.
- Look into the event viewer for special errors
- Use FileMon
- Use RegMon
- Browse locally using "localhost".
- Check the anonymous account you're using and its credentials (have
they changed?)
- Force NTFS ACL inheritance on the root physical folder.

Let us know more about the authentication settings you're using.

Tiago Halm

Re: App Pools now only run NT AUTHORITY accounts, no local or domain

More t-shoot info here:
http://blogs.iis.net/brian-murphy-booth/archive/2007/03/22/h ow-to-troubleshoot-an-iis-event-id-1009-error.aspx

Tiago Halm