SP2016 Application Pool Issue

  • Article

Recently I came across an application pool stopping on the first browse of the site. The site throws 503 error and not accessible. I start researching and combing logs on the issue. Just as a background SharePoint 2016 is installed on Windows 2016 server.

My first suspicion was it all got to do with Security Token but its app pool also stops the moment the web service browsed. The same 503 error. So, I repaired and re-provisioned STA with no luck.

So, what creates this issue? Luckily, checking on event viewer under System there’s a warning and error of WAS:

“Application pool SecurityTokenServiceApplicationPool has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.”

Followed by:

“Application pool SecurityTokenServiceApplicationPool has been disabled. Windows Process Activation Service (WAS) encountered a failure when it started a worker process to serve the application pool.”

Normally a good fix for this was to re-enter new account and typing password in IIS Application pool advanced setting will do the trick but this time Nope.

So, what’s it then which makes all Application pools stop on the first attempt? Here’s a good indicative reason from logs:

“The identity of application pool SecurityTokenServiceApplicationPool is invalid. The username or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request.  If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.”

Ah, checking on Local security policy, Local Policy and user assignment you’ll find a policy for “Log on as a batch job”, the identity of your application accounts need to be listed as below. It’ll be helpful after policy updates to re-enter identity of app pool and do IISReset.

This was the Fix!