This evening, we kept receiving the Error "Value does not fall within the expected range" when trying to configure a custom identify for an IIS Application Pool. In this case, it was IIS 8 on Server 2012 R2 but we've also seen issues posted for Version 7.

For those who don't want or have time to follow my journey, head on down to the end to "The Answer".

We knew the issue wasn't something we entered: a bad credential rendered an error, and a bad username did the same. So at runtime, everything was great. It was something to do with trying to save the setting.

Event logs, ho!

To figure out how to resolve this, we went into the event viewer. There was nothing in the Application log, so we headed down to Applications and Services Logs => Microsoft => Windows => IIS-Configuration. The logs in here are disabled by default, so they have to be enabled. (To do so, right-click the log, and choose Enable Log.) Once enabled, re-run the attempt to set the identity, and refresh the view (Actions pane or F5), and now we have some more information on the error. In the results were two Errors (event ID 42 and 43). 

ID 42: Failed to initialize the 'IISWASOnlyAesProvider' encryption provider in '\\?\C:\windows\system32\inetsrv\config\applicationHost.config'. Please check your configuration.

ID 43: Failed to encrypt attribute 'Microsoft.ApplicationHost.AesProtectedConfigurationProvider'.

Now we know the issue identified with ID 42 was the cause of the issue identified in 43. The IISWASOnlyAesProvider encryption provider's inability to load was the root cause of the inability to encrypt. Since it mentioned the applicationHost.config file, let's take a look at it.

We tried renaming [Note: Rename, not delete] the config file, and restarting IIS, but that didn't work:

C:\>net stop was /y
The following services are dependent on the Windows Process Activation Service s
Stopping the Windows Process Activation Service service will also stop these ser
   World Wide Web Publishing Service
The World Wide Web Publishing Service service is stopping.
The World Wide Web Publishing Service service was stopped successfully.
The Windows Process Activation Service service is stopping.
The Windows Process Activation Service service was stopped successfully.
C:\>net start w3svc
System error 1068 has occurred.
The dependency service or group failed to start.

The Answer

Luckily, we were able to obtain a clean configuration file. We replace the applicationHost.config file (C:\windows\system32\inetsrv\config\applicationHost.config), and restarted services again:
net stop was /y
net start w3svc

After that, we were able to successfully make the changes.

We have tried to find the offending setting, but so far have not had any luck. Hopefully knowing that you can swap out the applicationHost.config file will help you out.

Lessons Learned
  • Always keep a clean copy of this file on hand
  • Ensure the file is always backed up