Last week I found myself debugging an issue with Apple Push Notifications service (APNs) on one of our development servers, and learning a bit about APNs certificates and Windows Server 2008 R2 with IIS 7.5 in the process.

My first task was to try to isolate why the push notifications weren't received by our iOS devices, so I started on my local development machine.  I installed the certificates into my personal certificate store, stepped through the notification code, and sure enough I heard my iPad chirping telling me the notifications were being received.  It turned out that the certificates were also missing from the server machine, so it seemed like a simple enough fix.

On the server, I followed the exact same steps to install the certificates, but something still wasn't right.  If you find yourself in this same situation, here's a quick list of things to check.

1.  Make sure the certificate is installed - there are different certs for development and production, so you may need both of them.  You can use the mmc tool (instructions here) to do this step.

2.  Check the certificates to see that you do indeed have a private key.  If you don't you'll need to refer to the Apple docs to generate your private key.

3.  For my development machine, this is all it took.  But for our Windows Server 2008 R2, there was a little more digging involved.  Now check the application pool identity of the service that will be sending the notifications.  I expected this to be 'Network Service', but it was something new: 'ApplicationPoolIdentity'.  Apparently this is new for IIS 7.5 that the default pool identity is an account called ApplicationPoolIdentity.

4.  Make sure the account from Step 3 has access to the private keys.  This is the piece that had me stumped, because I kept getting 'no user name found' for ApplicationPoolIdentity.  That's because it is 'hidden', but you can add the group it belongs to instead.  To do this, choose All Tasks -> Manage Private Keys, and add the group IIS_IUSRS to the private key, and make sure it has full control.

There!  Now the service should be authenticated correctly with the private key and you can send Apple Push Notifications that actually work!  To read more about the Apple Push Notifications process itself, you can look here for more info.