IIS7.5 ApplicationPoolIdentity vs NetworkService .NET Application Issue

I have an ASP.NET framework 4.0 web application. It runs perfectly fine on my local. I publish it out to our server that runs IIS 7.5. When I try to login to the app running on the server, it postbacks, but leaves me right back at the login page. No error message or anything.

 I check the Event Viewer Application log and it gives an Info message:
Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied was invalid.

By default new IIS7.5 Applications run under the ApplicationPoolIdentity virtual account. I've used ACL to give the app's ApplicationPoolIdentity (user "IIS AppPool\myapppool") permissions on the folder directory of the web application. I also change the Anonymous Authentication Credentials to use the Application pool identity.

If I change the Application Pool to run as NetworkService, I'm able to login.

What have I missed? Why would it run fine under the NetworkService (as the Process Model Identity), but not for ApplicationPoolIdentity ?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Firstly is there a problem running it under Network Service?

In theory AppPoolIdentity is the same as NetworkService but with a dedicated user account.

In reality it is a little different. There are a few undocumented features with apppoolidentity and the full workings of these is not clear. I am not sure if this is one of those cases.

However I think it is realated to this:


"Looking back at the registry key, it contains a SID, so the autogenkey is stored on a per user bases, i.e. in our case, since the two processes are running under different users they would have different autogen keys, which explains why we are seeing issues here.

The solution

The solution here is rather obvious once you know the background, either you manually generate a key, rather than using an autogen one, or you change the identity of the application pool to the same user for each app pools. "

So really just change the Network Service. Your app will be fine there. This is default IIS7.0 behaviour and AppPoolIdentity doesn't offer too many benefits over it and I have has grief like you have with it for other reasons too.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GCSTSAuthor Commented:
Thanks for the response. As far as I know, no, there is no "problem" with us running the application using the NetworkService account, other than it's no longer what IIS7.5 defaults, so for IIS7.5's sake, we were wanting to run all applications under their own AppPoolIdentity.

The other objective at this point is simple to understand/find why one application seems to run fine under AppPoolIdentity while the next does not (and instead requires NetworkService).

for now, I'd like to leave the question open to see if anyone else has any info that may clear this mystery up for us. If no one does, then I'll most likely close this and mark Rovastar's as the answer.
Does one app have form authenication but the other does not?
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

GCSTSAuthor Commented:
They all use form based authentication.
Amandeep Singh BhullarCommented:
I've requested that this question be deleted for the following reason:

The question has either no comments or not enough useful information to be called an "answer".
I feel that I answered the question with ID: 37266459

This was pencilled in as a answer by the poster but was just waiting for more possible comments.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET App Servers

From novice to tech pro — start learning today.