There is something preventing me from binding a local/non-domain windows user account to the identity of an IIS app-pool.
There is a website in IIS called "Test" that hosts a single test.html page. I have associated an application pool called "Test" to this website with the default "ApplicationPoolIdentity" as the app-pool identity. When I browse to the site, I get the hello web page.
Next
- Create a local Windows user account name WebUser and paste the password to notepad.
- Go to IIS and set the "Test" app-pool identity to the user created in step 1 and paste the password. Here I get and invalid password error, whether I paste the password or type it in.
- Create a PowerShell script that binds the user to the app-pool - this works, even though the UI fails. (I visual validate that the "WebUser" is now the identity)
- Open the website and get 503 and black square on app-pool.
- Add user as a member of IISU_IUSR group.
- Add user to "Login as Service" security policy.
- Add user to "Login as Batch" security policy.
- iisreset /restart
- Browse "Test" website 503 and black square on app-pool.
- Restart app pool 11.Browse "Test" website 503 and black square on app-pool.
On a laptop at my home, I can create a local account and bind it as app-pool identity with no other changes and the website runs without let or hindrance.
Laptop at home is Windows 10 Pro Laptop at work is Windows 11 Enterprise
Could this be a policy pushed out by corp blocking? Why can I bind a user using PowerShell or appcmd.exe but not the IIS UI?