Important information within IIS is stored in flat files with encrypted sections.  The specific sections encrypted are identity of the application pool along with ACL information.  When you move the configurations to a new server, or when you’ve used a hypervisor to clone a server, keys used to decrypt these values will no longer work.  Or more specifically, they’re not found…I’ll get to that (the fourth solution to this problem explains it all).

The 500 primary error means it is a server error. The .19 secondary error code indicates that “The requested page can not be accessed because the related configuration data is invalid.” IIS, points out that the issue is due to its inability to decrypt an attribute of a configuration file for us. Metabase.xml is the central store where IIS 6.0 stores most of its configuration information.  In IIS 7.0 Microsoft shifted to a new XML based configuration store that is modeled after ASP.NET.  The same model is maintained in IIS 7.5.  IIS no longer centralized into a single file. The hierarchical store starts with the applicationHost.config file and can be distributed among web.config files under your application for a more modular inheritance  exposed through the app.configs (web.config).

In IIS 7 the local accounts and groups that IIS 6.0 used (IUSR_MACHINENAME / IIS_WPG) were also replaced by built-in accounts (IUSR / IIS_IUSRS). The built-in accounts have the same SID across Windows 2008/2008 R2 servers and are not machine specific.  The idea is that, like web applications’ configurations, you should be able to have an IIS configuration that could be machine independent.  Therefore, like web.configs, you should be able to just copy your applicationHost.config from one server to another and IIS will pick up the settings and work.

Problem

This all works perfectly, if you don’t care about the identity your application runs under.  In a distributed environment this isn’t always the case.  If you modify the identity of your application pool servicing your application hosted in IIS, then move the applicationHost.config to a different IIS 7.0 server, or clone it you’re greeted with this error when trying to render a page, web service, or worse a failure of application pools with an error from WAS in your event log looking like this:

Application pool <ApplicationPool> has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.

If you try to modify the account, depending on how you installed the application  you may not be able to change the password and “reset” this problem away that’s truly a the mismatch of identity on multiple levels.

This issues results in this error:

There was an error while performing this operation.  Details: Bad Data. (Exception from HRESULT: 0×80090005)

It is rooted in the inability to decrypt the sections of the applicationHost.config that’s encrypted with machine keys.  Any custom username / password tried for the identity of the application pool may result in either of these error conditions.  A work around is to set application pool to one of the built in accounts works or remove the encryption in the configuration file.  Both not that great of solutions if you need some level of identity on a remote system or security by encrypting this sensitive data at rest, as it should be.

The issue is with your machine keys used to decrypt sections of your applicationHost.config.  For example, IIS keeps a local copy of the username and password of a custom identity in the applicationHost.config and and encrypts it.  If you open the file you’ll see this:

<processModel identityType="User" userName="domain\username" password="[enc:IISWASOnlyAesProvider:2Woq1bHFmcDxzSEKLe9q1eZsvlUuBcmb0Luy3DzkZWg=:enc]" />

When the applicationHost.config is used on a server it didn’t originate on,  IIS can no longer decrypt the iisConfiguration and iisWasKey containers in this file since it uses the original machine keys to do they encryption.

Solutions

To get this working you have four options, in order of suggested implementation.  The first requires A working server with a similar configuration, the second requires THE  actual source server, the third is down right insecure, the fourth I would challenge that anyone should use – but works, and is important to understanding the under pinning of what’s going on.

The first three are supported methods by Microsoft documentation, the fourth isn’t – and with all, take proper precautions.

First one (best/easiest)…

Export the IIS config of a working web server and import using the Shared Configuration of IIS 7.

1. Navigate to the root of you server in IIS admin console
2. Double click shared Configuration

3. Click Export Configuration on the left hand pane

4. Select a location
5. Select a Password
6. And Select OK

7. This process creates files to be imported on target machine
8. Move the files to a location on the target server
9. In Shared Configuration manager on the target machine check the Enable Shared Configuration and select Apply

10. Enter the password when prompted
11. Ok to the follow couple of prompts
12. IISReset
13. Navigate to your resource to confirm it renders (no longer an 500.19 error)

14. In Shared Configuration manager on the target machine un-check the Enable Shared Configuration and select Apply
15. Select yes to overwrite

16. Yes when prompted to IISReset
17. Perform IISReset

Second (easy)…

Export keys from source server:

aspnet_regiis -px "iisConfigurationKey" "C:\IISKEY\iisConfigurationKey.xml" -pri
aspnet_regiis -px "iisWasKey" "C:\IISKEY\iisWasKey.xml" -pri

Import on your target/problem server:

aspnet_regiis -pi "iisConfigurationKey" "C:\IISKEY\iisConfigurationKey.xml"
aspnet_regiis -pi "iisWasKey" "C:\IISKEY\iisWasKey.xml"

Unable to load one or more of the requested types. Retrieve the LoaderExceptions property for more information.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Reflection.ReflectionTypeLoadException: Unable to load one or more of the requested types. Retrieve the LoaderExceptions property for more information.

It occurs when an assembly type was not able to load properly during the start-up of your application hosted in IIS.  Specifically, when a dependency is missing.  Depending on when the error occurs in the compile of your solution, you may not get a good error in IIS failed request trace, IIS logs proper (a simple 500 result is logged), or any extended logging assemblies you have included in your solution since the error very well could occur before those logging logic libraries have included/loaded.

To correct it you need to find the missing dependency.  To find that missing dependency you can stage an add of all binaries using PowerShell.  Specifically, all by a Get-ChildItem, that you can properly filter by name as needed, one by one in a “foreach” loop using the Add-Type cmdlet to stage the same .NET load performed at start-up   You can closely inspect the details of the exception raised during the load of each to find any missing dependencies.  Specifically, inspect the LoaderExceptions property that holds the I/O details holding the “file not found” error [like the error message in IIS suggests].

Here’s a quick script snippet.  Modify the file location of your binary folder and/or your gci filter as needed:

$BinPath = "D:\Webroot\wwwroot\bin"
  try
  {
    $Error.Clear()
    Push-Location $BinPath
    Get-ChildItem "*.dll" | Foreach {
	Write-Host $_.Name;
        $assembly = Add-Type -Path $_.FullName;    
    }
  }
  catch 
  {
    Write-Host -foreground yellow "LoadException";
    $Error | format-list -force
    Write-Host -foreground red $Error[0].Exception.LoaderExceptions;
  }

Write-Host "Complete."
Pop-Location

This is for that age old “Content Advisor” requirement in IE feature for me.  It is a feature of some browsers, primarily Internet Explorer, that enable end users to safeguard children from places on the net with a parental password.  There are ratings that can be embedded within, so read the standards if you’re wanting something specific for your site.  Keep in mind that this is header usage is  deprecated.  If you’re interested in the new method, you can check POWDER out here.

Here’s a script answer using the WebAdministration PowerShell module and its cmdlets that takes your URL as a parameter:

Usage: .\Set-PICSLabel.ps1 -URL http://jeffmurr.com

param (
[Parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[string] $URL
)
Import-Module WebAdministration
$PICSLabel = Get-WebConfiguration system.webServer/httpProtocol/customHeaders/* 'IIS:\sites\Default Web Site' | where {$_.name -eq "pics-label"}
if($PICSLabel) {write-host "PICS-Label already exists. No updates made."}
else {
write-host "PICS-Label does not exists. Adding PICS-Label..."
Add-WebConfiguration -Filter /system.webServer/httpProtocol/customHeaders -PSPath "IIS:\sites\Default Web Site" -Value @{name='PICS-Label';value="(pics-1.1 `"http://www.icra.org/pics/vocabularyv03/`" l gen true for `"$URL `" r (c 0 l 0 n 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 s 0 v 0))"}
write-host "PICS-Label created."
}

The script above imports the WebAdministration module and uses that module’s Get-WebConfiguration cmdlet to create and array object of all of the customer headers where the name is “pics-label” called $PICSLabel.  This is only a test to see if its already exists and is recursed through all child objects under the default site object.  If the object is not NULL it returns “true” for the if statement and the Add-WebConfiguration cmdlet is used to add the correct values to the default web.config at the site’s root.

A formatted header looks like this:

(pics-1.1 "http://www.icra.org/pics/vocabularyv03/" l gen true for "http://jeffmurr.com " r (c 0 l 0 n 0 oa 0 ob 0 oc 0 od 0 oe 0 of 0 og 0 oh 0 s 0 v 0))

Note:  Spacing and format are critical or end user errors will result.

It is not required that the definition of the pics-label header be at the site level; however, not doing so can be confusing of the URL content of the header to the parsing engine and browser.  For that reason, its just simpler and easier to always define the header at the site’s root unless specific child applications have different ratings than that of the site.

The response header name “pics-label” is what is parsed for content ratings.  PICS stands for “Platform for Internet Content Selection”.  Its use in standards are defined by World Wide Web Consortium (W3) here.  In short, it is a voluntarily rating system that is used to protect children from inappropriate content on the web.  Parents can configure it to allow sites based on the voluntary ratings made by the site’s owner or block based on those ratings.  Most use it to require a password to visit regardless of the voluntary ratings provided in the header.

Internet explorer uses this in the its Content Advisor feature.  It is enabled and configured when accessed under the internet options section of IE under the content tab.

For Internet Explorer’s Content Advisor feature, parents can set up ratings that they want to allow and trust site administrators to be honest about the material on their site.  More often than not, the password option is used for the URL content to all/not allow a site.  The password can be required on each visit or the parent can “white list” a site after providing the password using the URL content of the pics-label header.

Even though the ICRA has discontinued its ratings dictionary, many users still use it as an easy parenting tool to protect children from wandering into unknown areas of the net.  There are other rating dictionaries other than the ICRA, but it still seems to be the most widely used and why it was my choice in the script.