WebAdministrationDsc
WebAdministrationDsc copied to clipboard
dsccommunity
xWebAppPool failures when changing identity and credential
Scenario: Staged sites and pools were created on an IIS web farm with a test domain account and needed to change them to the production account. This is on Windows 2012 R2. Using xWebAdministration -ModuleVersion 1.11.0.0
Changing credentials on a 6 node farm containing 7 app pools failed and locked out the production ID it was trying to set. This was done simultaneously across the farm when update DSC was executed. The error message returned to the console from all nodes was:
PowerShell DSC resource MSFT_xWebAppPool failed to execute Set-TargetResource functionality with error message: The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: The service cannot accept control messages at this time. (Exception from HRESULT: 0x80070425) + CategoryInfo : InvalidOperation: (:) [], CimException + FullyQualifiedErrorId : ProviderOperationExecutionFailure + PSComputerName : xxxxxxxxxx
This error locked the account and disabled the pool likely through rapidfailprotection. Event logs on the server show incorrect username/password combination, although querying the app pools with appcmd later, does show the correct account and password was applied to the IIS configuration.
Since the underlying helper function "Invoke-AppCmd" is being used, I can only assume that it was the cause of the issue?
We have the same issue across our environments. It is seemingly random of when the issue occurs, but it appears to focus on the same websites\application pools when it does. The quick solution (for us) has been to delete the site and application pools and let DSC recreate them. The irony of all that is that DSC seems to creating the issue we are using DSC to correct. Alternately, we have plugged in the correct password and the issue goes away for a while(days to weeks). The biggest concern for this issue is it means I can not run consistency in production with this behavior. If there are troubleshooting steps someone has that could help. That would be awesome. I have looked at the Invoke-AppCmd function, and it seems very basic, but maybe it should be updated to use WMI. I suppose the next time this is an issue I can pull what IIS has for the password, before I fix the issue.
I am having the same issue. We have brand new servers and I created a basic app pool and receive the below errors. The application pool is created but its disabled, the DSC job fails. I'm only trying to set the application pool to NetworkService
I'm using v1.19.0.0 Windows Server 2012 r2
PowerShell DSC resource MSFT_xWebAppPool failed to execute Set-TargetResource functionality with error message: The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop:
Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : ProviderOperationExecutionFailure
+ PSComputerName : localhost
The SendConfigurationApply function did not succeed.
+ CategoryInfo : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : MI RESULT 1
+ PSComputerName : localhost
Below is the what i have for the command.
xWebAppPool AppPool {
Name = 'APP'
Ensure = 'Present'
State = 'Started'
autoStart = $true
enable32BitAppOnWin64 = $false
enableConfigurationOverride = $true
managedPipelineMode = 'Integrated'
managedRuntimeLoader = 'webengine4.dll'
managedRuntimeVersion = 'v4.0'
passAnonymousToken = $true
startMode = 'OnDemand'
queueLength = 9000 # Dev Requirement
cpuAction = 'NoAction'
cpuLimit = 0
cpuResetInterval = (New-TimeSpan -Minutes 5).ToString()
cpuSmpAffinitized = $false
cpuSmpProcessorAffinityMask = 4294967295
cpuSmpProcessorAffinityMask2 = 4294967295
identityType = 'NetworkService'
idleTimeout = (New-TimeSpan -Minutes 20).ToString()
idleTimeoutAction = 'Terminate'
loadUserProfile = $false
logEventOnProcessModel = 'IdleTimeout'
logonType = 'LogonBatch'
manualGroupMembership = $false
maxProcesses = 1
pingingEnabled = $true
pingInterval = (New-TimeSpan -Seconds 30).ToString()
pingResponseTime = (New-TimeSpan -Seconds 90).ToString()
setProfileEnvironment = $false
shutdownTimeLimit = (New-TimeSpan -Seconds 90).ToString()
startupTimeLimit = (New-TimeSpan -Seconds 90).ToString()
orphanActionExe = ''
orphanActionParams = ''
orphanWorkerProcess = $false
loadBalancerCapabilities = 'HttpLevel'
rapidFailProtection = $true
rapidFailProtectionInterval = (New-TimeSpan -Minutes 5).ToString()
rapidFailProtectionMaxCrashes = 5
autoShutdownExe = ''
autoShutdownParams = ''
disallowOverlappingRotation = $false
disallowRotationOnConfigChange = $false
logEventOnRecycle = 'Time,Requests,Schedule,Memory,IsapiUnhealthy,OnDemand,ConfigChange,PrivateMemory'
restartMemoryLimit = 20971520
restartPrivateMemoryLimit = 8388608
restartRequestsLimit = 2000000
restartTimeLimit = (New-TimeSpan -Minutes 1740).ToString()
restartSchedule = @()
}
I suggest that an integration test is created with the provided configuration above to try to reproduce this behavior. Also, I suggest the appveyor.yml is changed to run integration tests on both Windows Server 2012 R2 and Windows Server 2016 - at least so long that AppVeyor provides these images.
image:
- Visual Studio 2015
- Visual Studio 2017
