Having deployed my website to IIS7.5 I found one strange behaviour: when application pool identity is left to be ApplicationPoolIdentity
by default (as recommended in IIS Application Pool Identities), Ninject
seems to be ignored, as I get the following error, while creating the very first controller:
System.InvalidOperationException: An error occurred when trying to create a controller of type '..MainController'. Make sure that the controller has a parameterless public constructor. ---> System.DirectoryServices.DirectoryServicesCOMException: An operations error occurred.
I tried to grant FullAccess
to IIS AppPool\<MySiteAppPool>
to the folder, containing the site (including all subfolders and files), but this did not change anything.
However, when I set the application pool identity to any domain account (even a simple one, without administrative privilages, as well as without any access to the folder with the site), it works normally.
Ninject is installed according to Setting up an MVC3 application tutorial through the NuGet package.
I am not sure, if it's relevant, the site is supposed to work in a domain intranet with windows authentication.
So, the only problem seems to be with the application pool identity. As far as I am eager to use the recommended way, I'd love to have the ApplicationPoolIdentity
, not a domain account.
What can this be connected with? Is it possible to mix all these together?
Here is an SO thread with a similar issue: ASP.NET MVC 4 + Ninject MVC 3 = No parameterless constructor defined for this object. However no suitable answer there at all either.
As a deleted comment suggested, I tried using NetworkSerive
as the identity. And it worked properly. However, I guess this is not much better, than a non-privileged domain account.
EDIT
Suddenly found another dependency: the application pool identity is used for the windows authentication on sql server, though I expected the client-side user's credentials to be used there.
Based on comments
Agree that a remote sql server can be accessed with the authenticated credentials via impersonation.
However it is still not clear what the problem is with ApplicationPoolIdentity and Ninject.
The article mentiond at the very top of this question made me suppose that this could be caused by the fact, that virtual account has no user profile. This aspect remains unclear to me, as one can still enable IIS to load the user profile with the LoadUserProfile
attribute. I can't get, what is IIS going to load, if there is no profile for the virtual account?
It is said there:
IIS doesn't load the Windows user profile, but certain applications might take advantage of it anyway to store temporary data. SQL Express is an example of an application that does this. However, a user profile has to be created to store temporary data in either the profile directory or in the registry hive. The user profile for the NETWORKSERVICE account was created by the system and was always available. However, with the switch to unique Application Pool identities, no user profile is created by the system. Only the standard Application Pools (DefaultAppPool and Classic .NET AppPool) have user profiles on disk. No user profile is created if the Administrator creates a new Application Pool.
However, if you want, you can configure IIS Application Pools to load the user profile by setting the "LoadUserProfile" attribute to "true".
I found the following thread on serverfault.com:
How can I assign active directory permission to the default app pool identity
There it is also stated that app pool identity is unable to work as a network service, in particular, query the AD.