Recently, one of the customer who was facing issues with application pools and unable to set custom IIS App Pool Identity with message “There was an error while performing this operation and value does not fall within the expected range”. We reviewed the event logs and identified and resolved the issue with below troubleshooting steps.
Symptoms
=========
Unable to set custom IIS App Pool Identity and observed below error.
Troubleshooting Steps:
===============
Review the event logs - Services Logs => Microsoft => Windows => IIS-Configuration.
ID 42: Failed to initialize the 'IISWASOnlyAesProvider' encryption provider in '\\?\C:\windows\system32\inetsrv\config\applicationHost.config'. Please check your configuration.
ID 43: Failed to encrypt attribute 'Microsoft.ApplicationHost.AesProtectedConfigurationProvider'.
This issue happens when IIS specific machine keys are corrupt or missing.
Machine keys might go corrupt if there was an improper shutdown of the machine or the machine was cloned from an existing image or if there was a system crash.
Solution:
=======
1) Rename the below files or move it to a different location from C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\
6de9cb26d2b98c01ec4e9e8b34824aa2_GUID iisConfigurationKey
d6d986f09a1ee04e24c949879fdb506c_GUID NetFrameworkConfigurationKey
76944fb33636aeddb9590521c2e8815a_GUID iisWasKey
2) Backup applicationhost.config, then delete everything inside the tags below in applicationhost.config. Delete the contents within <configProtectedData> or <providers>.
<configProtectedData>
<providers>