An application pool is running under an incorrect identity

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2010-04-01

The Microsoft Exchange Best Practices Analyzer parses the roles that are running on an Exchange Server 2007-based computer together with the Internet Information Services (IIS) application pools that are used on the server.

The Best Practices Analyzer uses the results of the examination to determine whether the application pools under which each Exchange-related Web application runs are configured to run under the local System account.

If an application pool is not configured to run under the local System account, the Best Practices Analyzer generates the following error message:

IIS uses application pools to separate Web applications and Web sites. Each application pool is served by a worker process or by a set of worker processes. Each worker process operates as a separate instance. The worker process for one application pool is separate from worker processes for other application pools. Therefore, separating Web applications and Web sites into different application pools helps increase reliability and security.

Exchange 2007 requires the following application pools to run under the local System account:

• MSExchangeAutodiscoverAppPool

• MSExchangeOWAAppPool

• MSExchangeServicesAppPool

• MSExchangeSyncAppPool

• MSExchangeUMAppPool

This is to make sure that each Web application runs under an account that has the appropriate rights to access the server. To address this issue, configure the Exchange-related application pools to run under the local System account.

To modify an application pool in Windows Server 2008

1. Start the Internet Information Services (IIS) Manager MMC snap-in.

2. Expand the computer, and then click Application Pools.

3. In the Application Pools pane, examine the entries in the Identity column to determine which identity each application pool uses.

4. Click an application pool, such as MSExchangeOWAAppPool, and then click Advanced Settings in the details pane.

5. In the Process Model section, click Identity, and then click the ellipsis button (…).

6. In the Application Pool Identity dialog box, click Built-in account, click LocalSystem in the Built-in account list, and then click OK.

   Note

   Do not unintentionally click LocalService in the Built-in account list.

7. Follow steps 4 through 6 for any other Exchange-related application pools that you want to modify.

8. Click OK, and then reset IIS. To do this, run the iisreset /noforce command from a command prompt.

To modify an application pool in Windows Server 2003

1. Start the Internet Information Services (IIS) Manager MMC snap-in.

2. Expand the computer, and then click Application Pools.

3. Right-click an application pool, such as MSExchangeOWAAppPool, and then click Properties.

4. Click the Identity tab, and then click Predefined.

5. In the Predefined list, click Local System, and then click OK.

6. In the confirmation message that appears, click Yes to confirm that you want to run the application pool as the local System account.

7. Follow steps 3 through 6 for any other Exchange-related application pools that you want to modify.

8. Reset IIS. To do this, run the iisreset /noforce command from a command prompt.