Enable IIS option "loadUserProfile:true" for dedicated application pools
In Windows Server IIS, it is recommended to set loadUserProfile:true for dedicated application pools. Doing so guarantees better application isolation and security for web applications created with ASP.NET, .NET Core or PHP.
You can find some basic information about this setting in this Stack Overflow answer: https://stackoverflow.com/a/17149834/1297898.
Official Microsoft documentation: https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities, https://docs.microsoft.com/en-us/iis/manage/configuring-security/ensure-security-isolation-for-web-sites
I will be pleased to provide any additional information you may require.
Thank you for your input. We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
Duarte N commented
It was finally implemented:
June Justice commented
Paul Brown's comment pretty much says it all. This is a vital setting for generating tokens.
Paul Brown commented
If using MS Identity to create a new (web) user security token while using the anonymous user profile in a Web App, IIS has no knowledge of the new web user's profile, which is necessary, to create tokens for updating email and passwords. The following IIS error occurs without "Load User Profile" set to true:
"The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating."
The Plex UI should offer a way to update the IIS "Load User Profile" setting to true. This is a common problem when writing web apps using Microsoft Identity. When using UserManager.GenerateEmailConfirmationTokenAsync(user.Id) to create an email confirmation token to verify a newly created web user's email address, the anonymous user's profile is still loaded and prevents the new security token from being created. A quick search will show how common this problem is when using a hosting company not aware of the necessity to allow the "Load User Profile" setting to be set to true for the domain. This setting is only valid for the instantiated web service for the requesting web app and has no affect on other websites hosted by the server. The setting is set to false by default for backward compatibility on apps written for earlier versions of IIS and have no security implications to IIS or other web sites hosted on IIS.
EVERYBODY SHOULD UPVOTE THIS!!!
Here are two links to view the problem: https://stackoverflow.com/questions/23773651/the-data-protection-operation-was-unsuccessful-on-azure-using-owin-katana
Jan Reilink commented
In my opinion you shouldn't consider a functionality because it's popular, but because it's a de-facto (or industry) standard and often required. But that's a whole different discussion.