I faced the following issue.
I run the following code
var binaryData = File.ReadAllBytes(pathToPfxFile);
var cert = new X509Certificate2(binaryData,
I mean if it's a "good" thing then why it is not "on" by default and why is it there after all?
IIS 6 never loaded user profiles. I would assume this is off by default to keep the behavior consistent, and an administrator has to opt-in to it.
I tried to enable LoadUserProfile for the application pool and it works now.
This is most likely because the Windows Cryptographic Service Provider was trying to store or load a key for your certificate in the user store, and since a profile was not available, a cryptographic context was not available. Note that the Load User Profile
setting only applies to user accounts. Service Accounts like NETWORK SERVICE and ApplicationPoolIdentity have special handling.
What exactly happens when I set LoadUserProfile in IIS pool
Well, the user profile is loaded. This includes their cryptographic store, environment variables such as %TEMP%, and other ones.
What it eventually boils down to is LoadUserProfile is called by IIS when the AppPool starts.
what negative consequences can it have?
It may break backwards compatibility with an app that ran on IIS 6, which didn't load the user profile. The environment variables are loaded. For example, when Load User Profile is true, the %TEMP% environment variable is C:\Users\AccountName\AppData\Local\Temp
(for example). When false, it's C:\WINDOWS\Temp
.