IIS7.5 ApplicationPoolIdentity vs NetworkService .NET Application Issue

I have an ASP.NET framework 4.0 web application. It runs perfectly fine on my local. I publish it out to our server that runs IIS 7.5. When I try to login to the app running on the server, it postbacks, but leaves me right back at the login page. No error message or anything.

 I check the Event Viewer Application log and it gives an Info message:
Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied was invalid.

By default new IIS7.5 Applications run under the ApplicationPoolIdentity virtual account. I've used ACL to give the app's ApplicationPoolIdentity (user "IIS AppPool\myapppool") permissions on the folder directory of the web application. I also change the Anonymous Authentication Credentials to use the Application pool identity.

If I change the Application Pool to run as NetworkService, I'm able to login.

What have I missed? Why would it run fine under the NetworkService (as the Process Model Identity), but not for ApplicationPoolIdentity ?

Who is Participating?
RovastarConnect With a Mentor Commented:
Firstly is there a problem running it under Network Service?

In theory AppPoolIdentity is the same as NetworkService but with a dedicated user account.

In reality it is a little different. There are a few undocumented features with apppoolidentity and the full workings of these is not clear. I am not sure if this is one of those cases.

However I think it is realated to this:


"Looking back at the registry key, it contains a SID, so the autogenkey is stored on a per user bases, i.e. in our case, since the two processes are running under different users they would have different autogen keys, which explains why we are seeing issues here.

The solution

The solution here is rather obvious once you know the background, either you manually generate a key, rather than using an autogen one, or you change the identity of the application pool to the same user for each app pools. "

So really just change the Network Service. Your app will be fine there. This is default IIS7.0 behaviour and AppPoolIdentity doesn't offer too many benefits over it and I have has grief like you have with it for other reasons too.
GCSTSAuthor Commented:
Thanks for the response. As far as I know, no, there is no "problem" with us running the application using the NetworkService account, other than it's no longer what IIS7.5 defaults, so for IIS7.5's sake, we were wanting to run all applications under their own AppPoolIdentity.

The other objective at this point is simple to understand/find why one application seems to run fine under AppPoolIdentity while the next does not (and instead requires NetworkService).

for now, I'd like to leave the question open to see if anyone else has any info that may clear this mystery up for us. If no one does, then I'll most likely close this and mark Rovastar's as the answer.
Does one app have form authenication but the other does not?
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

GCSTSAuthor Commented:
They all use form based authentication.
Amandeep Singh BhullarCommented:
I've requested that this question be deleted for the following reason:

The question has either no comments or not enough useful information to be called an "answer".
I feel that I answered the question with ID: 37266459

This was pencilled in as a answer by the poster but was just waiting for more possible comments.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.