Recently, one of the customer who was facing issues with application pools and unable to set custom IIS App Pool Identity with message “There was an error while performing this operation and value does not fall within the expected range”. We reviewed the event logs and identified and resolved the issue with below troubleshooting steps.
Unable to set custom IIS App Pool Identity and observed below error.
Review the event logs - Services Logs => Microsoft => Windows => IIS-Configuration.
ID 42: Failed to initialize the 'IISWASOnlyAesProvider' encryption provider in '\\?\C:\windows\system32\inetsrv\config\applicationHost.config'. Please check your configuration.
ID 43: Failed to encrypt attribute 'Microsoft.ApplicationHost.AesProtectedConfigurationProvider'.
This issue happens when IIS specific machine keys are corrupt or missing.
Machine keys might go corrupt if there was an improper shutdown of the machine or the machine was cloned from an existing image or if there was a system crash.
1) Rename the below files or move it to a different location from C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\
2) Backup applicationhost.config, then delete everything inside the tags below in applicationhost.config. Delete the contents within <configProtectedData> or <providers>.