Solving IIS 7 Error 503 Service Unavailable
When trying to install a
web site on my test machine (IIS Server) I got Error 503 Service Unavailable,
after a long discussion with my seniors and searching on the Internet I found
the solution to this problem. In my case, it was related to the application
pool identity incorrect settings sometimes it happens due to Start Automatically
property false too.
Before discussing about this problem
solution let me tell you what is Application
Application Pool Identities:
IIS introduces a new security feature in Service Pack 2
(SP2) of Windows
Server 2008 and Windows Vista. It's called Application Pool Identities.
Application Pool Identities allow you to run Application Pools under a unique
account without having to create and manage domain or local accounts. The
name of the Application Pool account corresponds to the name of the
Application Pool. The w3wp.exe (you can see this
process within process tab option in task manager) shows an IIS
worker process running as the DefaultAppPool identity.
Application Pool Identity Accounts:
Worker processes in IIS 6.0, and in IIS
7 and above, run as NETWORKSERVICE by default. NETWORKSERVICE is a built-in
Windows identity. It doesn't require a password and has only user privileges;
that is, it is relatively low-privileged. Running as a low-privileged
account is a good security practice because then a software bug can't be used
by a malicious user to take over the whole system.
However, a problem arose over time as
more and more Windows system services started to run as NETWORKSERVICE. This is
because services running as NETWORKSERVICE can tamper with other services that
run under the same identity. Because IIS worker processes run third-party code
by default (Classic ASP, ASP.NET, PHP code), it was time to isolate IIS worker
processes from other Windows system services and run IIS worker processes under
unique identities. The Windows operating system provides a feature called
"Virtual Accounts" that allows IIS to create unique identities for
each of its Application Pools. Click here for more information about Virtual
Now let’s continue to resolve Error 503
Service Unavailable Problem, to resolve this problem you have to make some
changes in IIS configuration, these changes are prescribed below heading.
Configuring IIS Application Pool Identities:
If you are running IIS 7.5 on Windows
Server 2008 R2, you don't have to do anything to use the new identity. For
every Application Pool you create, the IIS Admin Process (WAS) will create a
virtual account with the name of the new Application Pool and run the
Application Pool's worker processes under this account.
If you are running Windows Server 2008,
you have to change the IdentityType
property of the Application Pools you create to ‘AppPoolIdentity’. Here is how:
Steps 1: Open IIS Manager (short command: inetmgr) with
Open the Application Pools node underneath the machine
node. Select the Application Pool you want to change to run under an
automatically generated Application Pool Identity. Here I’m selecting ‘PHPWebCalendar’
Now right click on the selected Application Pool and
click on ‘Advance Settings’ option.
Now here you have to set Start
Automatically property ‘true’ and set Identity property is
Now click button ‘Ok’, your
configuration setting will be saved.
Note: To do the same step
by using the command-line, you can call the appcmd command-line tool the following way:
set AppPool <your AppPool>
Whenever a new Application Pool is
created, the IIS management process creates a security identifier (SID) that
represents the name of the Application Pool itself. For example, if you create
an Application Pool with the name ‘MyAppPool’
a security identifier with the name ‘MyAppPool’
is created in the Windows Security system. From this point on, resources
can be secured by using this identity. However, the identity is not a real user
account; it will not show up as a user in the Windows User Management Console.
can try this by selecting a file in Windows Explorer and adding the ‘DefaultAppPool’ identity to the file's
Access Control List (ACL).
Open Windows Explorer
Select a file or directory.
Right click the file and select "Properties"
Select the "Security" tab
Click the "Edit" and then "Add" button
Click the "Locations" button and make sure you select your machine.
Enter ‘IIS AppPool\DefaultAppPool’
in the ‘enter the object names to
select:’ text box.
Click the ‘Check Names’ button and
Application Pool Identities are a powerful new isolation
feature introduced for Windows Server 2008, Windows Vista, Windows 7 and
Windows Server 2008 R2. It will make running IIS applications even more secure