Shared configuration and password expiration.
Most of you have probably heard of shared configuration. It is a simple and convenient way to centralize IIS configuration among multiple IIS instances. (More info on shared configuration can be found here.)
A step in setting up shared configuration is to provide a user credential that can be used to access the shared configuration. Now, what happens when the password changes for the user? Naturally, the IIS instances that are using the shared configuration will no longer be able to access the shared configuration on a file share and, therefore, they won't work properly. So, in order to fix this problem, you may be thinking that all you need to do is to open the IIS Manager and just update the password. You may be right, except that you have a chicken and an egg problem.
Although IIS Manager launches successfully, when you try to connect to the server, you will see the following error:
You guessed it. The IIS Manager is unable to read the configuration because it no longer has the access to the file share where the configuration file is located, hence the chicken and the egg problem.
Before we discuss how you can workaround this problem, we will first need to understand how the shared configuration works. Before the IIS config system loads applicationHost.config, it relies on redirection.config to see if shared configuration is enabled or not. Below is an example of redirection.config (which is located at %windir%\system32\inetsrv\config\):
<section name="configurationRedirection" />
<add name="IISRsaProvider" type="" description="Uses RsaCryptoServiceProvider to encrypt and decrypt" keyContainerName="iisConfigurationKey" cspProviderName="" useMachineContainer="true" useOAEP="false" />
<configurationRedirection enabled="true" path="\\server\folder" userName="removed" password="[removed]" />
The IIS config system looks at the redirection.config file first.
If configurationRedirection is enabled, then it will try to read the applicationHost.config file from the path using the userName and password.
If configurationRedirection is disabled, it will try to read the applicationHost.config from the local file system. So, in order to temporarily get around the chicken and the egg problem, open the redirection.config in the notepad and set enabled="false". Doing so will effectively take this IIS instance out of shared configuration. More importantly, it will now allow you to launch the IIS manager and connect to the server successfully.
After launching the IIS manager, navigate to Shared Configuration page and enable shared configuration. Once enabled, update the password fields with the new password and Apply:
Now repeat the same steps in remaining IIS instances that are using the shared configuration.