IIS ApplicationPoolIdentity and access to certificate revocation server

Question

I have the error "The X.509 certificate ... chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation because the revocation server was offline."

I get this error when I run my wcf service in IIS with an apppool under the "ApplicationPoolIdentity". I have given the "ApplicationPoolIdentity" accounts (iis apppool*) private key access permissions to the certificates in the store. It works fine under "Network Service". The certificate is internally issued from one of our domain controllers. I thought that Microsoft wants websites to be run under "ApplicationPoolIdentity" now. Is there a way to give the correct permissions to the "ApplicationPoolIdentity" in order to avoid this error or should I just use "Network Service" instead?

Answer 1

What you will probably notice when you put a network sniffer like WireShark on the line, is that the identity that your application pool is running under is not allowed to go to the location mentioned as URL in the revocation parameter in your certificate chain. That problem does not occur when the application pool is running under the NETWORK service account, as you describe.

As stated by the error logged to you, you can also change the revocationMode="NoCheck" to disable WCF checking for revoked certificates. Read http://msdn.microsoft.com/en-us/library/aa347699.aspx for details. But you should only do that either is a safe closed environment or for development purposes.