Working with IntelliTrace Standalone Collector and Application Pools Under Active Directory Accounts

Imagine a situation where you often configure an ASP.NET web site to run as an Active Directory (AD) user to enable the site to access that user’s network resources. This can be file sharing or any other activity.

You can easily accomplish the above mentioned task by changing the identity of the relevant web site IIS Application Pool.

The following error message will be displayed if you try to use the IntelliTrace Standalone Collector with such an application pool while you are logged in with a local user account

User <domain\username> does not have permissions to read collection plan file “C:\Windows\Temp\DefaultAppPool_collection_plan.ASP.NET.default.xml”

The core problem is that you generally make use of a PowerShell prompt to launch the collector and that PowerShell prompt is running under a non-AD account. If you are a non AD account holder then you cannot query the AD. Hence, the permissions check will fail resulting in the above displayed error message.

Active Directory

In this scenario, you have two options at your disposal

  • Add the AD user account used by the application pool to the machine’s local admin group, log in with that user and then run the collector.
  • Add a different Active Directory user to the local admin group on the machine and run the PowerShell prompt as that user.

Microsoft is considering to enable permissions check optional in future. Hence, if the collector is unable to verify permissions of an Active Directory account, you will view a warning message which prompts you whether to continue or not.

You can provide feedback related to the above mentioned issue on the MSDN Diagnostics forums.

Leave a Comment