After upgrade all sites on shared IIS application pool stopped working: During a logon attempt, the user's security context accumulated too many security IDs

Created:

2016-11-16 13:14:08 UTC

Modified:

2017-08-08 13:22:56 UTC

1

Was this article helpful?


Have more questions?

Submit a request

After upgrade all sites on shared IIS application pool stopped working: During a logon attempt, the user's security context accumulated too many security IDs

Applicable to:

  • Plesk 12.0 for Windows
  • Plesk 12.5 for Windows

Symptoms

After Plesk upgrade to Plesk 12 or 12.5 all sites on shared application pool stopped working with error:

503 Service Unavailable or HTTP 400 - Bad Request (Request header too long)

In Event Viewer the following message can be observed:

During a logon attempt, the user's security context accumulated too many security IDs. This is a very unusual situation. Remove the user from some global or local groups to reduce the number of security IDs to incorporate into the security context.

Cause

Starting from Plesk 12 security settings are updated for all subscriptions:

  • Security rules for IUSR_ user will be converted to rules for IWPG_ group.

  • Security rules for IWPD_ or IWAM_plesk (default) users will be converted to rules for IWPG_ group.

  • After upgrade old IUSR_ accounts are not removed from the system, although they are no longer used.

If shared application pool is used, application pool user can be included in huge amount of groups (depending on number of subscriptions assigned to application pool). Such user might not be able to authenticate because the token that is generated during authentication attempts has a fixed maximum size.

Resolution

Switch some or all websites to Dedicated IIS application pool.

For all subscriptions on one particular service plan:

  1. Open Plesk > Service Plans <service_plan_name> > Performance

  2. Check box Dedicated IIS application pool & click Update & Sync button.

For all subscriptions:

From command line run:

"%plesk_bin\\server_pref.exe" --set-iis-app-pool-settings -iis-app-pool-mode dedicated
Have more questions? Submit a request
Please sign in to leave a comment.