IIS error 503 Application pool identity is invalid


After setting custom identity for IIS Application Pool you are experiencing error 503 Service Unavailable in browser and in System section of Event Log on server you may find the following warnings and errors:

Event ID 5021:

The identity of application pool x is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.

Event ID 5057:

Application pool x has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.

Event ID 5059:

Application pool x has been disabled. Windows Process Activation Service (WAS) encountered a failure when it started a worker process to serve the application pool.


  • Make sure the custom identity is a member of IIS_USRS Local Security group.

To add a specific user (custom account) to the IIS_USRS group:

  1. Click Start, Administrative Tools, Computer Management.
  2. In the left pane, expand Local Users and Groups.
  3. Select Groups, then double-click IIS_USRS.
  4. Add the custom user that you specified earlier for the process model identity.
  5. Stop and restart the Windows Process Activation Service either from Services Snap-in or using command prompt as follows:
    1. Open an elevated Command Prompt window. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
    2. Type net stop was /y and press ENTER.
    3. Type net start was and press ENTER.
    4. Type net start w3svc and press ENTER.
  • Make sure the custom identity has the ‘Log on as a batch job’ and ‘Log on as a service’ user rights on the server. This right can be found in Local Security Policy > Security Settings > User Rights Assignment.

If this errors came after you had changed the password for custom identity:

  • switch app pool identity to NetworkService
  • switch it back to X using the new password

Good Luck!

Want me to do this for you? Drop me a line: itgalaxyzzz {at} gmail [dot] com