IIS 7.5 Load User Profile Not Creating User Profile

Question

I have a few identically-configured Windows 2008 web servers running IIS 7.5, one of which isn't behaving as expected with regard to the "Load User Profile". I'm getting a yellow screen of death that says "The profile for the user is a temporary profile." (See more info on error below).

On most of my web servers, the fix is to switch "Load User Profile" from False to True for the application pool under "Advanced Settings". However, on one box, this isn't working. All web servers have application pools set to run as an identity internal to our network e.g. "MyCompany.local\TheAppPoolUser". This user does NOT have login privileges. And on all web servers except the one that's broken, there is a directory at C:\Users\TheAppPoolUser. No such directory exists on the broken server. I've tried recycling the app pool, but still no directory.

When does Windows/IIS decide to create the directory? Is it possible to force the creation? Is it possible to manually create it? I don't know how/when the directory was created on the other machines.

Here are the details on the yellow screen of death error:

The profile for the user is a temporary profile.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Security.Cryptography.CryptographicException: The profile for the user is a temporary profile.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[CryptographicException: The profile for the user is a temporary profile. ]
RabbitMQ.Client.EndpointResolverExtensions.SelectOne(IEndpointResolver resolver, Func`2 selector) +294
RabbitMQ.Client.ConnectionFactory.CreateConnection(IEndpointResolver endpointResolver, String clientProvidedName) +178

Answer 1

Short story - you can't do anything simple with the issue. You can only try to work it around.

Longer story - temporary profiles are sometimes created randomly, for various not-that-easily-clear reasons. There are multiple references to this, e.g.

http://paulstovell.com/blog/x509certificate2

However it can also happen just sometimes, randomly. Maybe there was a problem with the registry that prevented a profile directory being created. Maybe someone got a little overzealous with group policy. I've had all kinds of bug reports about this. One option is to try stopping any services that run under that account (including application pools) and then logging in interactively to the computer as the user to force a profile to be created. Then log out, and restart the services.

Unfortunately, parts of the crypto subsystem require the user profile to be created and this restriction comes from the old DPAPI the .NET crypto subsystem refers to.

My personal struggle has been described in my blog entry

http://www.wiktorzychla.com/2016/08/signedxmlchecksignature-and-dreadful.html

and it's about the same exact exception as yours but most probably in slightly different scenario (for me it was the way XML signatures are validated by the crypto subsystem).

Anyway, there are two possible workarounds:

• you can login to that particular box in an interactive mode as the app pool identity - which forces the OS to create the profile. If the issue is not resolved, you can try to delete the profile (although the problem is the profile can be in a limbo state where it cannot be created when you try to log as that user but also it is not visible on the list of profiles on that machine so you can't delete it)

• you can workaround the APIs that are causing the issue - this was possible in my case but will not work for you, as the source of your problem is the RabbitMQ client library you can't easily fix on your own, probably