FIX:ASP.NET using the default ASPNET account on a domain controller does not function correctly

Asp.net| Control

The publication number for this article was CHS315158
Symptoms
After you install Microsoft Visual Studio. NET or the Microsoft. NET Framework on a domain controller or backup domain controller, the browser displays the following error message if you try to run the asp.net application:

Server Application Unavailable

The Web application you are attempting to access on this Web server is currently unavailable.

Please hit the ' Refresh ' button in your Web browser to retry your request.
In addition, the following events are logged in the System application event log:

aspnet_wp.exe could not being launched because the username and/or password supplied in the ProcessModel g file are invalid.
aspnet_wp.exe could not to be started.
HRESULT for the failure:80004005
This issue relates to Internet information Services (IIS) version 5.0 or later.
Reason
By default, in order to provide a more secure environment, ASP.net runs its worker process (aspnet_wp.exe) with a weaker account (the local computer account named ASPNET). On a domain controller or backup domain controller, all user accounts are domain accounts, not local computer accounts. Therefore, aspnet_wp.exe cannot start because it cannot find a local account named "Localmachinename\aspnet". To provide a valid user account on a domain controller, you must specify an explicit account in the <processModel> section of the Machine.config file, or you must use the SYSTEM account.

Note: If you try to debug before you try to browse the page (click the Start button), you will also experience this problem.
Solution
To resolve this issue, use one of the following methods: • Create a weak account with the correct permissions, and then configure the <processModel> portion of the Machine.config file to use the account.
• In the <processModel> section of the Machine.config file, set the UserName property to SYSTEM.
• Configure the <processModel> portion of the Machine.config file to use the Administrator account.
Note: In ASP.net 1.1, the process of the ASPNET is identified as IWAM_machinename, so this problem does not exist.

Note: If you allow ASP.net applications to run as SYSTEM or administrator accounts, there are serious security issues. If you use any of these workarounds, code that runs in the Aspnet_wp.exe process will have access to domain controllers and domain settings. Executables that are started from the Aspnet_wp.exe process run in the same context, and they also have access to domain controllers.

Therefore, Microsoft recommends the use of the first workaround. To use the first workaround, follow these steps: 1. Create a user account named ASPUSER on your computer, and then add this account to the user group.

Note: You can also use this account if you change the password for the ASPNET account created by the. NET Framework. You must know the password for this account because you need to add the password to the <processModel> section later in this step.
2. Grant the ASPUSER or ASPNET account "Log on as a batch job" user right. Make sure that this change appears in the Local Security policy setting.

Note: To grant this account the "Log on as a batch job" user right, you may have to grant this user right in each of the following security policies (starting from the Control Panel/Administrative Tools):

• Domain Controller Security Policy
• Domain Security Policy
• Local Security Policy

Note: You may have to restart the server for these changes to take effect.
3. Ensure that the ASPUSER or ASPNET account has access to all directories and files necessary to start the Aspnet_wp.exe process and provide services for the ASP.net page. For additional information about what permissions must be granted to this account, click the following article number to view the article in the Microsoft Knowledge Base:
317012 (http://support.microsoft.com/kb/317012/) asp.net The process and request identification in  
4. Open the Machine.config file. The path to the file is:%systemroot%\microsoft.net\framework\v1.0.3705\config.
5. In the <processModel> section of the Machine.config file, change the UserName and Password properties to the name and password of the account that you created in the first step. For example,
username= "DomainName\ASPUSER" password= "ASPUSERpassword"
6. Save changes to the Machine.config file.

State
Microsoft has confirmed that this is an error in the Microsoft products listed at the beginning of this article. This error is in ASP. NET (included in the. NET Framework) was corrected in version 1.1.
Reference
For additional information about ASP.net security, click the following article number to view the article in the Microsoft Knowledge Base:
306590 (http://support.microsoft.com/kb/306590/) INFO:ASP.NET Security overview
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
316989 (http://support.microsoft.com/kb/316989/) PRB: "Login Failed" (Logon Failure) error message when creating a trusted data connection from asp.net to SQL Server
329290 (http://support.microsoft.com/kb/329290/) How to use the ASP.net tool to encrypt credentials and session state connection strings
Process and request identification in 317012 (http://support.microsoft.com/kb/317012/) asp.net

--------------------------------------------------------------------------------

The information in this article applies to:
Microsoft ASP.net 1.0
Microsoft Internet Information Services 5.0
Microsoft Mobile Internet Toolkit 1.0