What Exactly Happens When I Set Loaduserprofile of Iis Pool

What exactly happens when I set LoadUserProfile of IIS pool?

I mean if it's a "good" thing then why it is not "on" by default and why is it there after all?

IIS 6 never loaded user profiles. I would assume this is off by default to keep the behavior consistent, and an administrator has to opt-in to it.

I tried to enable LoadUserProfile for the application pool and it works now.

This is most likely because the Windows Cryptographic Service Provider was trying to store or load a key for your certificate in the user store, and since a profile was not available, a cryptographic context was not available. Note that the Load User Profile setting only applies to user accounts. Service Accounts like NETWORK SERVICE and ApplicationPoolIdentity have special handling.

What exactly happens when I set LoadUserProfile in IIS pool

Well, the user profile is loaded. This includes their cryptographic store, environment variables such as %TEMP%, and other ones.

What it eventually boils down to is LoadUserProfile is called by IIS when the AppPool starts.

what negative consequences can it have?

It may break backwards compatibility with an app that ran on IIS 6, which didn't load the user profile. The environment variables are loaded. For example, when Load User Profile is true, the %TEMP% environment variable is C:\Users\AccountName\AppData\Local\Temp (for example). When false, it's C:\WINDOWS\Temp.

Can I disable loaduserprofile in IIS Express?

Visual studio run under your default account which has permission to access all the things iis application or site run under the application pool identity which uses iis user like iusr or iis_iusrs which does not have access to use all the things. that's why you get access denied error message. if you want to change the application pool identity you could select your appropriate application pool and set by using the advanced setting. local system and network service have enough access in application pool identity

.

If you want to set load user profile false then you could modify the applicationhost.config file directly to add/manage application pools. To setup enable loading the user profile, you would modify the line related to your application pool and add the below line to it within the XML elements.:

<processModel loadUserProfile="true" />

You could refer below link for more detail:

What exactly happens when I set LoadUserProfile of IIS pool?

loadUserProfile and IIS7 - understanding temporary directory failures

Access denied when reading system event log entries on ASP.NET web application hosted on IIS 8

Security exceptions in ASP.NET and Load User Profile option in IIS 7.5

One more example when "Load User Profile" setting could helps you is usage of temporary files. Sometime this usege can be indirect. SQL Express for example can do this in some situations.

So my advice. Switch off "Load User Profile" and examine %TEMP%. Then try to give domain account used for application pool the full access (or change access) to the directory from %TEMP%. Probably it fix your problem.

One more advice is usage of Process Monitor (see http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) to locale which parts of user profile will be used (or receive "access denied" error) at the moment when you receive "System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission" exception.

Why a new windows user profile is created when I create an Application Pool in IIS

This behaviour is because of the new security model starting with IIS 7.

Application Pool Identities started with IIS 7

Application Pool Identities allow you to run Application Pools under a unique account without having to create and manage domain or local accounts. The name of the Application Pool account corresponds to the name of the Application Pool.

- Application Pool Identities (2009)

The main reason is security, each application pool is isolated from each other.

LoadUserProfile=true Creates the User Profile Folder

From experimenting on my machine I believe this setting is responsible for the folders being created.

Having LoadUserProfile set to true means that IIS will load the user profile for the application pool identity. This happens when the application is actually spun up, you can test this by creating a new app pool and if the setting is false, no new folders should be created under C:\Users when you hit the web site for the first time.

- IIS Documentation

According to the documentation LoadUserProfile should be false by default, although I have noticed that on Win 7 machines it might be set to true instead. You can change this default via the IIS gui:

What permissions/policies are needed to support loadUserProfile=true for new application pools?

The SQM file listed in the event log warning was created by a Windows or Visual Studio update. When the user profile service or application pool runs and tries to create a new profile, it tries to copy the file to the profile. The SQM file requires administrator permissions to copy. The user profile service or application pool does not have sufficient permissions to copy the file, an error is generated, and the user profile is not created. Without a user profile, the application pool cannot run because it doesn't have an isolated secure place to store data.

Remove or delete the SQM file from the source directory, and the user profile will be created successfully when the app pool is initialized. You can also change the permissions on the SQM file, but I'm not sure what the appropriate permissions should be. The user profile service runs as "LocalSystem Account". See its documentation for permission info. It's unclear to me whether the application pool identity itself is being used to perform the copy operation, or the local system account.

If you remove the file from the source directory, you could also manually copy the file where it was trying to go as well.

After a very brief search about what SQM is, it seems like it is traditionally used as "service quality management". Usually it would contain information to send back to the program authors with metrics, logs, or somesuch. I don't know if this is the case with this file or not. So it doesn't seem like it's important to include it in the new profile.

I can't take 100% credit for this answer, as I was tipped off by a comment attached to an answer on some other question. I can't find the link to it in the 50 browser tabs open for troubleshooting this. That guy deserves a thank you, because I believe this is a much better solution than compromising the security of a server by pooling all the resources together like in IIS 6.

P.S. As noted in your comment, a bug report has been filed.

Can we add WEBSITE_LOAD_USER_PROFILE=1 to web.config

No, you can't.

Even if you use IIS 7, your option is to set Load User Profile option as True in the IIS Application Pool configuration, you could not set it in the web config file. If you use other cloud services, I think there also should be a setting like WEBSITE_LOAD_USER_PROFILE in azure.

For more details, you could refer to the links below.

1. X509Certificate Constructor Exception

2. What exactly happens when I set LoadUserProfile of IIS pool

3. Can I set application pool in webconfig

---

Related Topics