IIS 6.0 starts using IWAM account even when configured to use another

I’ve been seeing a lot of this bug on Win XP and 2003 (IIS 5.1 and 6.0).

Basically, the problem is that IIS is configured to serve anonymous requests using a special user account I’ve created for the purpose (let’s call this domain\myaccount), which works fine for a while. After some number of minutes, or hours, it suddenly starts serving those requests using the IWAM_Machinename account instead.

Repro steps:

  • I’ve got a basic IIS/ASP/VBScript application
  • The VBScript uses a COM control loaded with Server.CreateObject
  • The bug is reproducible on Win XP (IIS 5.1) or 2003 (IIS 6.0), but not 2000.
  • The IIS site does not have integrated Windows authentication. It serves all anoymous requests using a user account I’ve created on the domain for the purpose domain\myaccount.
  • In the COM control I implemented a little function GetUserName which calls the GetUserName windows API to, uh, check the user name.
  • Application is configured as High(Isolated)
  • For a matter of minutes or hours the application faithfully runs using the account it’s supposed to use: domain\myaccount
  • Then suddenly: some requests run under domain\myaccount, while other requests are running as IWAM_Machinename. It looks like on of the IIS worker threads has lost interest in impersonating the account it’s supposed to impersonate.
  • On my XP desktop, the problem usually appears after 10 – 40 minutes. I can’t figure out how to repro it reliably.
  • The only way to get IIS serving anonymous requests using the correct account again is to restart it (or unload the application in question).

Some possible leads people emailed:

  • Some people have suggested running IIS in “5.0 isolation mode.” However the problem happens on XP as well, which uses IIS 5.1. This page on Microsoft’s web site says “IIS 6.0 runs in one of two distinct modes of operation, which are called application isolation modes: worker process isolation mode, and IIS 5.0 isolation mode which is almost identical to the process model of IIS 5.1 and earlier.” That makes me believe that IIS 5.1 is running in the same kind of isolation mode as 5.0. In the debugger I always see my app running under DLLHOST, and XP doesn’t let you configure application pools in the IIS manager.
  • Some people pointed out that if anything happened that caused the thread in question to call the Windows API function RevertToSelf I would see this behavior. That is correct but I’m sure not calling RevertToSelf, and I don’t think anything I’m doing is calling it indirectly.

Tim Chaffee finally sent in the suggestion that so far seems to have been the right answer:

“I would look at the MTS/COM+ package that IIS creates when you choose HIGH isolation. What user is that configured to use? It may be IWAM And you may need to switch it to the user you need.”

That seems to be it. If you look in the Component Services control panel, it is indeed the case that the COM+ application that IIS created has its identity set to the IWAM_Machinename account. So actually the bug here is that IIS was running my app as domain\myaccount in the first place… it probably should have been running it as IWAM_Machinename.

I’ve been experimenting with this for a few hours and so far, changing the COM+ application identity in the Component Services control panel has fixed the problem. I’m still not 100% sure why this is the case or whether it’s a real fix. If anyone can provide a better explanation for what’s going on here I’ll be endebted to them.

In the meantime, thanks to Sean Timm, Yakov Shafranovich, Simon Fell, Mike Surel, Sasha Do, Mike Openshaw, Marcus Tucker, Max Skibinsky, Scott Durow, John Christensen, Tim Chaffee, Steven Afdahl, Nick Parker, John Waterson, Beau Hartshorne, Olivier Dagenais, Gil Bahat, Robert MacLean, Nicole Calinoiu, Scott Wisniewski, Matthew Randle, Lars Bergstrom, Sikko2Go, Glenn Deschen, Brendan Tompkins, Bill Loytty, Sean Wheeler, and Justin Bowler for their helpful and intelligent suggestions.