When configuring IIS 7 on Windows Server 2008 SP2 with custom application pool identities, many developers encounter HTTP 500 errors specifically when serving static content. The error manifests with these characteristics:
ModuleName: IIS Web Core
Notification: 2
HttpStatus: 500
HttpReason: Internal Server Error
HttpSubStatus: 0
ErrorCode: 2147943746
Notification: AUTHENTICATE_REQUEST
ErrorCode: 0x80070542 (Impersonation level error)The core issue stems from impersonation settings when using custom accounts. Unlike built-in identities (like ApplicationPoolIdentity), custom accounts require explicit impersonation configuration. The error 0x80070542 specifically indicates insufficient impersonation rights.
Here's how to properly configure your environment:
1. Grant Necessary Permissions
While you've already granted file permissions, we need to set impersonation rights:
# PowerShell command to grant impersonation rights
Import-Module ActiveDirectory
$user = "YOURDOMAIN\customaccount"
$policy = "SeImpersonatePrivilege"
Add-ADGroupMember -Identity "Service Accounts" -Members $user
Set-ADUser -Identity $user -Add @{userAccountControl=4096}2. Configure IIS Authentication
In IIS Manager:
- Open Authentication settings for your site
- Disable Anonymous Authentication
- Enable Windows Authentication
- Click "Advanced Settings" and set Extended Protection to "Off"
- Set Kernel-mode authentication to "Disabled"
3. Modify Application Pool Settings
Edit your application pool's Advanced Settings:
Integrated
For static files, add this to your web.config:
After implementing these changes:
- Reset IIS (
iisreset /noforce) - Check Event Viewer for security-related events
- Test with both static (.html) and dynamic (.aspx) files
If issues persist:
- Verify SPN settings for domain accounts (
setspn -L domain\user) - Check for conflicting GPOs affecting service accounts
- Test with Process Monitor to identify exact access denials
When configuring IIS 7 on Windows Server 2008 SP2 to use custom identities for application pools, you might encounter HTTP 500 errors specifically for static content (HTML, CSS, JS) while dynamic content (like ASPX) works normally. The error manifests with these key details:
ModuleName: IIS Web Core Notification: 2 HttpStatus: 500 ErrorCode: 0x80070542 (Impersonation level invalid)
Static content handling in IIS requires proper impersonation rights. Unlike dynamic handlers which run under the worker process identity, static files rely on impersonation through IUSR by default. Custom accounts need explicit impersonation privileges:
// Required privileges in Local Security Policy SeImpersonatePrivilege SeAssignPrimaryTokenPrivilege
First, verify the account has proper NTFS permissions (which you've already done). Then implement these technical fixes:
1. Grant impersonation rights via Group Policy:
gpedit.msc → Computer Configuration → Windows Settings →
Security Settings → Local Policies → User Rights Assignment →
"Impersonate a client after authentication"
2. Configure IIS authentication:
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true"
userName="IUSR" /> <!-- Keep default for static content -->
</authentication>
</security>
</system.webServer>
For scenarios requiring strict custom identity usage, modify the applicationHost.config:
<location path="Default Web Site">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication
enabled="true"
userName="YourCustomAccount"
password="[Encrypted]" />
</authentication>
</security>
</system.webServer>
</location>
After making changes, verify with these PowerShell commands:
# Check effective permissions Get-Acl "C:\inetpub\wwwroot" | Format-List # Verify privilege assignment whoami /priv | findstr /i "Impersonate" # Test HTTP.sys configuration netsh http show urlacl
For legacy systems where policy changes aren't possible, consider these workarounds:
- Use IIS 7.5+ which handles static content differently
- Create a handler mapping for static files to force managed pipeline processing
- Implement URL rewriting to route static requests through ASP.NET