While browsing your IIS hosted website (or any of the application, virtual directory) you run into the standard Http 500 error message. When you look into the IIS logs for respective site, you find an entry similar to this
2012-08-08 10:10:10 xx.xx.xx.xxxx GET /test.htm - 80 - yy.yy.yy.yyyy Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C; +.NET4.0E;+.NET+CLR+3.5.30729; +.NET+CLR+3.0.30729) 500 0 1346 15
Here the highlighted ones are various status codes
sc-status –> 500
sc-substatus –> 0
sc-win32-status –> 1346
We know that http 5xx error codes are Server Errors and 500.0 means ‘Module or ISAPI error occurred’ [ref: KB]
But this is not much of an help.
Now looking into sc-win32-status 1346, (open cmd –> “net helpmsg 1346” )
It says: “Either a required impersonation level was not provided, or the provided impersonation level is invalid.”
Now this could mean a lot of things and it is possible that something went wrong while you application is trying to internally perform impersonation. But, before you start deep debugging your application, One thing which you must do is -
Check if the Application Pool Identity for the respective application is a part of ‘Impersonate a client after authentication’ policy. It is a requirement that the application pool identity must be a part of this policy, directly or by inherited membership.
To check this policy – go to start –> run –> secpol.msc –> Local Policies –> User Rights Assignment
This is applicable to IIS 6.0 and IIS 7.0/7.5 (and should be other IIS version too) and for all resource types.
PS: Check this KB for default permission for IIS 6.0. This is more or less valid for IIS 7x as well.