IIS 8.5 Event Code 4009 Viewstate Failed using Application Pool Identity

Question

We are trying to implement good IIS 8.5 practice on for web sites by using a unique app pool for each site, and to run those app pools under the Application Pool Identity. We have been running our app pools under a Domain account. We have been able to make the switch to using an Application Pool Identity successfully with a webservice. But with a website, which uses Windows authentication, using an Application Pool Identity for the App Pool, the site errors out. In the Windows Application Event Log, the associated error is "Event Code 4009 - the viewstate verification failed: : the viewstate failed integrity check." The website itself gives a user not authorized message. It is using the WindowsPrincipal.IsInRole method to determine if the user is in an AD group. I know the windows user is being transmitted because it shows on the asp page.

Some posts on this problem mention updating key in machine.config. This is a stand-alone server. As soon as I switch the same app pool for the site back to using a domain account, presto, it works.

Windows Server 2012, .NET framework 4.0, u

Answer 1

The basic problem was in using the WindowsPrincipal.IsInRole method and a System.Environment variable.,

WindowsPrincipal currentPrince = new WindowsPrincipal((WindowsIdentity)identity;
string domainName = System.Environment.Us variableerDomainName;

if currentPrince.IsInRole(domainName + "\\" + groupNane))System
   { 
        bool isAuthenticated = true; '
   }

When running under a domain account, the System.Environment variable contained the same domain as the identity.

When running under the AppPoolIdentity pseudo account, the System.Environment variable contained "IIS_AppPool".

So naturally no group membership could be found under that domain name.