Pre-upgrade checks show some error saying "AppPool user Identity does not have access to the private key certificate. Users with access are NT AUTHORITY\SYSTEM, BUILTIN\Administrators, BUILTIN\IIS_IUSRS, S-1-5-5-0-4142690107. … "AppPool user Identity does not have access to the private key certificate."
Issue Description:
Pre-upgrade checks display the error "AppPool user Identity does not have access to the private key certificate."
Users with access are NT AUTHORITY\SYSTEM, BUILTIN\Administrators, BUILTIN\IIS_IUSRS, S-1-5-5-0-4142690107.
Root Cause: The account which is managing AppPool does not have enough permissions to access certificate private keys.
Resolution:
If this issue arises even after providing access to IIS_IUSRS, navigate to IIS to validate on which account AppPools are running. If it is a service account try to add the service account by following the below steps and if it is running on AppPool identity, try to add the account "IIS AppPool\identity" to manage private keys.
If the private key has not been added to the certificate, add it manually by following the below steps:
- To locate the private key, start Internet Information Service (IIS) Manager, and select Application Pool. Find the private key for each service under the Identity column
- Go to Manage Computer Certificates under Control Panel
- Go to Personal/Certificates
- Right-click New certificate, then go to All Tasks > Manage PrivateKey to add the private key.