LoadUserProfile on AppPool

If you deploy the REST service to communicate to a remote transactional queue on a separate webserver (not on the BizTalkServer) there’s an extra gotcha. In my case I determined the MSMQ to send to via a business rule. That means I had to run my service under a user account that has rights to access the business rule engine on the remote server. Every time I got the general error ‘invalid certificate’. The solution was to go to the application pool under IIS. Choose Advanced Settings and then select Load User Profile = true. If Load User Profile is set to true, the user profile is loaded every time the application pool starts. The biggest side effect with loading the user profile can be the temp directory. If the user profile is not loaded the %temp% environment variable points to the windowstemp directory. Everybody can write to this directory. If the user profile is loaded the %temp% environment variable points to a dedicated directory to which only the user has access to. So if your DefaultAppPool runs as the “IIS AppPoolDefaultAppPool” the %temp% variable wout point to the C:UsersDefaultAppPoolAppDataLocalTemp directory. To this directory only the DefaultAppPool and Administrators would have write access to.

In general LoadUserProfile can be a good idea if you have a security issue you can’t explain.

As far as I can see there are no performance implications of using this setting.