|
Home > Archive > IIS Server Security > August 2005 > Application Pool and Identity (Crisis)
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Application Pool and Identity (Crisis)
|
|
| Paul Bergson 2005-08-12, 5:58 pm |
| I'm slowly going crazy trying to get a 2003 web site with a specific
application pool to use a different identity.
I have done the following:
Created a local user named web16\AppPoolSvc
Made AppPoolSvc a member of the group IIS_WPG
Provided NT file permissions
Restarted IISAdmin service to restart all my web services. Ran SysInternal
File monitor and it showed that the database file was denied access to "NT
Authority\Network Service" when I attempted to access the db. So it appears
that the Application Pool is still using the old service account. (?)
So I used some info from a post in here and added the following if they
weren't already applied.
- Ensure that the username/password are supplied correctly in the Web App
Pool properties dialogue
- Ensure that the user account in question has the following NT rights on
the IIS box:
- Replace a Process Level Token (SeAssignPrimaryTokenPrivilege)
- Adjust Memory Quotas for a process (SeIncreaseQuotaPrivilege)
- Generate Security Audits (SeAuditPrivilege)
- Bypass Traverse Checking (SeChangeNotifyPrivilege)
- Access this computer from a network (SeNetworkLogonRight)
- Logon as a Batch Job (SeBatchLogonRight)
- Logon as a Service (SeInteractiveLogonRight)
- Allow Logon Locally (SeInteractiveLogonRight)
(those are the rights that Network Service has by default, so that should be
enough for a custom account)
This didn't work. What the heck am I missing?????????????
The Event Viewer is showing all ok with no errors.
I'm going crazy on this!
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
| Paul Bergson 2005-08-12, 5:58 pm |
| I got the stupid thing to work. A virtual directory had the default app
pool instead of the newly defined pool.
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no rights.
"Paul Bergson" <pbergson@allete_nospam.com> wrote in message
news:OXg3lb0nFHA.1204@TK2MSFTNGP12.phx.gbl...
> I'm slowly going crazy trying to get a 2003 web site with a specific
> application pool to use a different identity.
>
> I have done the following:
> Created a local user named web16\AppPoolSvc
> Made AppPoolSvc a member of the group IIS_WPG
> Provided NT file permissions
>
> Restarted IISAdmin service to restart all my web services. Ran
> SysInternal File monitor and it showed that the database file was denied
> access to "NT Authority\Network Service" when I attempted to access the
> db. So it appears that the Application Pool is still using the old
> service account. (?)
>
> So I used some info from a post in here and added the following if they
> weren't already applied.
>
> - Ensure that the username/password are supplied correctly in the Web App
> Pool properties dialogue
> - Ensure that the user account in question has the following NT rights on
> the IIS box:
>
> - Replace a Process Level Token (SeAssignPrimaryTokenPrivilege)
> - Adjust Memory Quotas for a process (SeIncreaseQuotaPrivilege)
> - Generate Security Audits (SeAuditPrivilege)
> - Bypass Traverse Checking (SeChangeNotifyPrivilege)
> - Access this computer from a network (SeNetworkLogonRight)
> - Logon as a Batch Job (SeBatchLogonRight)
> - Logon as a Service (SeInteractiveLogonRight)
> - Allow Logon Locally (SeInteractiveLogonRight)
>
> (those are the rights that Network Service has by default, so that should
> be enough for a custom account)
>
>
> This didn't work. What the heck am I missing?????????????
>
>
> The Event Viewer is showing all ok with no errors.
>
>
> I'm going crazy on this!
>
>
> --
>
>
> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
| |
| Ran Davidovitz 2005-08-16, 2:49 am |
| When you are working with IIS6 app pools you must make sure that you know
with what app pool you work with.
I would also recommand that you add to the MSI you have the script that will
register the application with a new app pool.
"Paul Bergson" <pbergson@allete_nospam.com> wrote in message
news:ugySRB1nFHA.3300@TK2MSFTNGP15.phx.gbl...
>I got the stupid thing to work. A virtual directory had the default app
>pool instead of the newly defined pool.
>
> --
>
>
> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> "Paul Bergson" <pbergson@allete_nospam.com> wrote in message
> news:OXg3lb0nFHA.1204@TK2MSFTNGP12.phx.gbl...
>
>
|
|
|
|
|