Hi,
We recently went through a project where we upgraded the platform of our ASP.NET v2 applications from Windows 2003 IIS 6 to Windows 2008 R2 IIS 7.5 to take advantage of ADFS client authentication. As part of the upgrade we decided to use the new Windows 2008 R2 Managed Service Accounts (MSA) as it seemed to provide account management advantages. Each of the 20+ applications is configured with a unique application pool and each application pool has been assigned a unique MSA as the identity. The ASPState database and the associated backend SQL 2000 database has been assigned rights to the appropriate Managed Service Account. Identity impersonation is set to false.
In general operation this has been working fine in Dev, Test and Production. However we hit a recent issue where the application pools failed to authenticate to the SQL database causing an outage. Unfortunately this immediately followed some scheduled patching maintenance so this threw me off the trail a little as to the cause. I have now identified that the issue is down to the automatic changing of the MSA password. I have taken the issue offline and can recreate the issue on demand by issuing a Powershell “Reset-ADServiceAccountPassword -Identity msaUniqueID”. Shortly after this has been run I see ASP.NET 2.0.50727.0 1309 warnings with “Exception message: Failed to login to session state SQL server for user 'Domain\msaUniqueID '.”. At this point the application fails and the only way to get it working again is to stop and then start the application pool. The application then works fine until the MSA password is changed again manually or automatically after 30 days.
I can’t find anything that suggests that we should not operate the application in this configuration or any obvious fix to the issue. Before we move to not using MSAs is there anything that can be done to resolve this?
Many Thanks
Tony