Re: Howto refresh IIS 6 Application pool identity credential info
- From: wjzhang@xxxxxxxxxxxxxxxxxxxx ("WenJun Zhang[msft]")
- Date: Mon, 11 Feb 2008 07:46:14 GMT
Hi Peter,
What you detected should be an expected behavior. Have you also tried
access any resources on the web site after changing application pool's
identity and restarting/recycling the pool? If so, you should see a logon
event with the changed credential when the new http request is arriving.
The fact is:
After we change a pool's identity, the custom user account's username and
password is simply encrypted and saved by IIS without any validation or
logon attempts. That's why you don't see the credential change immediately.
As soon as a new request to the corresponding web site which the AppPool
needs to serve comes in, IIS W3SVC service will then start up a new worker
process(w3wp.exe - can be viewed in task manager or process explorer, etc)
with the new identity. You should see the expected logon attemps at that
time.
The difference of IISRESET here is when we restart the whole IIS services,
the startup process will try to test logon all the identity accounts to
check if all the username and password are valid. If not, IIS will disable
that pool.
Furthermore, a main problem of using custom domain account as application
pool identity is we must manually setup SPN for Kerberos to work for
Integrated Windows authentication. Also only one SPN(of the domain account)
can be set for HTTP service on the server. Otherwise, you will need to use
NTLM.
871179 You receive an "HTTP Error 401.1 - Unauthorized: Access is denied
due to invalid credentials" error message when you try to access a Web site
that is part of an IIS 6.0 application pool
http://support.microsoft.com/default.aspx?scid=kb;EN-US;871179
I hope the above information helps. Please update here if you have any
further question.
Have a nice week.
Sincerely,
WenJun Zhang
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- Follow-Ups:
- References:
- Prev by Date: Re: Howto refresh IIS 6 Application pool identity credential info
- Next by Date: Re: IIS 6 und Kerberos
- Previous by thread: Re: Howto refresh IIS 6 Application pool identity credential info
- Next by thread: Re: Howto refresh IIS 6 Application pool identity credential info
- Index(es):
Relevant Pages
|
