Select Page

Having problems with adding a certificate to your domain or application pool identity account.?

One of the things that we have problems with when migrating e.g. from localsystem to an Active Directory service account is the ability to read the private key of our Certificate.
In my sample below I had a working environment that was running fine while the applicationpool identity was set to LocalSystem.
When I change the applicationpool identity to an Active Directory Service account I got the exception below.

Description: The process was terminated due to an unhandled exception.

Exception Info: System.Security.Cryptography.CryptographicException

at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32)

at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(System.String, IntPtr, UInt32, Boolean, System.Security.Cryptography.X509Certificates.SafeCertContextHandle ByRef)

at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(System.String, System.Object, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)

at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(System.String, System.String)

at PortalApp.Program.Main(System.String[])



The exception is to the point, the process is unable to load the certificate from the certificate store.
At first I was sure that I had forgotten to allow the user to read the private key from the certificate store.
But the problem was that by default the option Load User Profile is set to false, when an applicationpool identity does load the user profile the user will not be able to load certificates, this Is true for ApplicationPoolIdentity and Active directory users.

In order to change the option, you can execute the following statement from powershell commandline.


import-module webadministration
$pool = get-item IIS:\AppPools\
$pool.processModel.loadUserProfile =$true
$pool |set-item


%windir%\System32\inetsrv\appcmd.exe set “MyApplicationPool” /processModel.loadUserProfile:”true”


You will need to change the MyApplicationPool to the name of the applicationpool you want to change