Skip to content

I suggest you...

← Feature Suggestions

Enable IIS option "loadUserProfile:true" for dedicated application pools

In Windows Server IIS, it is recommended to set loadUserProfile:true for dedicated application pools. Doing so guarantees better application isolation and security for web applications created with ASP.NET, .NET Core or PHP.

You can find some basic information about this setting in this Stack Overflow answer: https://stackoverflow.com/a/17149834/1297898.
Official Microsoft documentation: https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities, https://docs.microsoft.com/en-us/iis/manage/configuring-security/ensure-security-isolation-for-web-sites

I will be pleased to provide any additional information you may require.

29 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Jan Reilink shared this idea  ·   ·  Report…  ·  Admin →
How important is this to you?

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
open discussion  ·  IgorG responded  · 

Thank you for your input. We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.

IG

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • June Justice commented  ·   ·  Report

    Paul Brown's comment pretty much says it all. This is a vital setting for generating tokens.

  • Paul Brown commented  ·   ·  Report

    If using MS Identity to create a new (web) user security token while using the anonymous user profile in a Web App, IIS has no knowledge of the new web user's profile, which is necessary, to create tokens for updating email and passwords. The following IIS error occurs without "Load User Profile" set to true:

    "The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating."

    The Plex UI should offer a way to update the IIS "Load User Profile" setting to true. This is a common problem when writing web apps using Microsoft Identity. When using UserManager.GenerateEmailConfirmationTokenAsync(user.Id) to create an email confirmation token to verify a newly created web user's email address, the anonymous user's profile is still loaded and prevents the new security token from being created. A quick search will show how common this problem is when using a hosting company not aware of the necessity to allow the "Load User Profile" setting to be set to true for the domain. This setting is only valid for the instantiated web service for the requesting web app and has no affect on other websites hosted by the server. The setting is set to false by default for backward compatibility on apps written for earlier versions of IIS and have no security implications to IIS or other web sites hosted on IIS.

    EVERYBODY SHOULD UPVOTE THIS!!!

    Here are two links to view the problem: https://stackoverflow.com/questions/23773651/the-data-protection-operation-was-unsuccessful-on-azure-using-owin-katana

    https://stackoverflow.com/questions/17149132/what-exactly-happens-when-i-set-loaduserprofile-of-iis-pool

  • Jan Reilink commented  ·   ·  Report

    Thanks IgorG.

    In my opinion you shouldn't consider a functionality because it's popular, but because it's a de-facto (or industry) standard and often required. But that's a whole different discussion.

Feature Suggestions: Security

Categories

Feedback and Knowledge Base

(thinking…)