| Author |
Commerce Server 2007 installation - app pool settings
|
|
| CodeDigger 2006-08-29, 2:52 pm |
| I have completed the Post intallation tasks] for Commerce Server 2007 to a tee (except I installed the Biztalk adapters before not after the post installation tasks).
I have the CatalogWebSvcAppPool which runs under the CatalogWebSvc identity.
CatalogWebServiceAppPool .\CatalogWebSvc
MarketingWebSvcAppPool .\MarketingWebSvc
OrdersWebSvcAppPool . \OrdersWebSvc
ProfilesWebSvcAppPool .\ProfilesWebSvc
When I go to I get http://localhost/CatalogWebService/...WebService.asmx
I get Access is denied.
Which is understandable as I am logged in as myself, not CatalogWebSvc. However when I set the identity of the CatalogWebServiceAppPool to [myself] then all is fine.
Questions is - why should the application pools be configured this way - for production? How should it be for developers?
Also what is the impact of making this change? | |
| Sudha Raghavan [MSFT] 2006-08-30, 7:24 pm |
| Have you given CatalogWebSvc identity access to the correct DBs, Azman
files etc as specified in the installation guide?
Thanks
Sudha
--------------------
From: CodeDigger <CodeDigger.2dbtkb@mail.webservertalk.com>
Subject: Commerce Server 2007 installation - app pool settings
Date: Tue, 29 Aug 2006 14:52:23 -0500
Message-ID: <CodeDigger.2dbtkb@mail.webservertalk.com>
Organization: Web Servers forum
User-Agent: www.webservertalk.com news gateway
X-Newsreader: www.webservertalk.com news gateway
X-Originating-IP: 70.26.112.25
Newsgroups: microsoft.public.commerceserver.general
NNTP-Posting-Host: starfire.mcse.ms 66.98.192.98
Lines: 1
Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl!leafnode.mcs
e.ms!news
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.commerceserver.general:18277
X-Tomcat-NG: microsoft.public.commerceserver.general
I have completed the Post intallation tasks] for Commerce Server 2007
to a tee (except I installed the Biztalk adapters before not after the
post installation tasks).
I have the CatalogWebSvcAppPool which runs under the CatalogWebSvc
identity.
CatalogWebServiceAppPool .\CatalogWebSvc
MarketingWebSvcAppPool .\MarketingWebSvc
OrdersWebSvcAppPool . \OrdersWebSvc
ProfilesWebSvcAppPool .\ProfilesWebSvc
When I go to I get
http://localhost/CatalogWebService/...WebService.asmx
I get Access is denied.
Which is understandable as I am logged in as myself, not CatalogWebSvc.
However when I set the identity of the CatalogWebServiceAppPool to
[myself] then all is fine.
Questions is - why should the application pools be configured this way
- for production? How should it be for developers?
Also what is the impact of making this change?
--
CodeDigger
------------------------------------------------------------------------
Posted via http://www.webservertalk.com
------------------------------------------------------------------------
View this thread: http://www.webservertalk.com/message1630341.html
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2005 Microsoft Corporation. All rights
reserved.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
Have a Commerce Server “How To” question? Help is a click away at our
Chats, Newsgroups and Web logs
Chats (2nd Wednesday of the month from 11 to Noon):
http://www.msdn.microsoft.com/chats/
Public newsgroups:
http://www.microsoft.com/technet/co...r/commerce.mspx
Web logs and community:
http://www.microsoft.com/commercese...ty/default.mspx
Other resources:
http://www.microsoft.com/technet/pr...02/default.mspx
| |
| CodeDigger 2006-08-31, 5:43 pm |
| [QUOTE]Originally posted by Sudha Raghavan [MSFT]
[B]Have you given CatalogWebSvc identity access to the correct DBs, Azman
files etc as specified in the installation guide?
Thanks
Sudha
--------------------
YES, like I said - I followed the installation instructions to a tee.
Which brings to mind the question - why assign the web services to run under different accounts - wont that deny the logged on (interactive) user if he isnt that user (CatalogWebSvc). Also the Business User Applications are suppsed to use all the web services, so how can the logged on user possibly get access to them? I dont understand this permission model. | |
| Søren Spelling Lund 2006-08-31, 7:36 pm |
| CodeDigger wrote:
>
> I have completed the Post intallation tasks] for Commerce Server 2007
> to a tee (except I installed the Biztalk adapters before not after the
> post installation tasks).
>
>
> I have the CatalogWebSvcAppPool which runs under the CatalogWebSvc
> identity.
>
>
> CatalogWebServiceAppPool .\CatalogWebSvc
> MarketingWebSvcAppPool .\MarketingWebSvc
> OrdersWebSvcAppPool . \OrdersWebSvc
> ProfilesWebSvcAppPool .\ProfilesWebSvc
>
>
>
> When I go to I get
> http://localhost/CatalogWebService/...WebService.asmx
>
> I get Access is denied.
>
> Which is understandable as I am logged in as myself, not
> CatalogWebSvc. However when I set the identity of the
> CatalogWebServiceAppPool to [myself] then all is fine.
>
> Questions is - why should the application pools be configured this way
> - for production? How should it be for developers?
>
> Also what is the impact of making this change?
Did you add the apppool users to the IIS_WPG group on the machine? Any
errors in the Event log?
--
| |
| CodeDigger 2006-08-31, 7:36 pm |
| YES, like I said - I followed the installation instructions to a tee.
Which brings to mind the question - why assign the web services to run under
different accounts - wont that deny the logged on (interactive) user if he
isnt that user (CatalogWebSvc). Also the Business User Applications are supp
sed to use all the web services, so how can the logged on user possibly get
access to them? I dont understand this permission model.
"Sudha Raghavan [MSFT]" wrote:
> Have you given CatalogWebSvc identity access to the correct DBs, Azman
> files etc as specified in the installation guide?
>
> Thanks
> Sudha
> --------------------
| |
| CodeDigger 2006-08-31, 7:36 pm |
| YES, like I said - I followed the installation instructions to a tee.
No errors in the Event log.
Which brings to mind the question - why assign the web services to run under
different accounts - wont that deny the logged on (interactive) user if he
isnt that user (CatalogWebSvc). Also the Business User Applications are supp
sed to use all the web services, so how can the logged on user possibly get
access to them? I dont understand this permission model.
"Søren Spelling Lund" wrote:
> Did you add the apppool users to the IIS_WPG group on the machine? Any
> errors in the Event log?
| |
| Søren Spelling Lund 2006-09-01, 1:28 pm |
| CodeDigger wrote:
> YES, like I said - I followed the installation instructions to a tee.
>
> No errors in the Event log.
>
> Which brings to mind the question - why assign the web services to
> run under different accounts - wont that deny the logged on
> (interactive) user if he isnt that user (CatalogWebSvc). Also the
> Business User Applications are supp sed to use all the web services,
> so how can the logged on user possibly get access to them? I dont
> understand this permission model.
It won't because the webservices aren't running with impersonation
enabled which means that the service authenticates itself to the
backend as the user specified in the AppPool Identity.
--
| |
| CodeDigger 2006-09-01, 7:40 pm |
|
"Sren Spelling Lund" wrote:
> It won't because the webservices aren't running with impersonation
> enabled which means that the service authenticates itself to the
> backend as the user specified in the AppPool Identity.
So is this a production permission model setup? What should we do as
Developers when we need to run the Business user applications which require
all the web services to be accessible to the logged-on (current) user?
| |
| Sudha Raghavan [MSFT] 2006-09-01, 7:40 pm |
| If you get an access denied when accessing the catalog web service, you are
getting it from IIS.
Have you enabled "Integrated Windows Authentication" for the Catalog Web
Service? Is the logged in user trying to access the web service a valid
domain user?
Thanks
Sudha
--------------------
Thread-Topic: Commerce Server 2007 installation - app pool settings
thread-index: AcbNT8sGIkwJiiMVQjWikaFFeUsZkw==
X-WBNR-Posting-Host: 70.26.112.25
From: =?Utf-8?B?Q29kZURpZ2dlcg==?= <CodeDigger@discussions.microsoft.com>
References: <CodeDigger.2dbtkb@mail.webservertalk.com>
<XlXaD0HzGHA.400@TK2MSFTNGXA01.phx.gbl>
Subject: RE: Commerce Server 2007 installation - app pool settings
Date: Thu, 31 Aug 2006 15:50:01 -0700
Lines: 17
Message-ID: <C8D94F8E-6B7D-4DE6-9198-ECD3E73D7183@microsoft.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
Newsgroups: microsoft.public.commerceserver.general
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.commerceserver.general:18297
NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
X-Tomcat-NG: microsoft.public.commerceserver.general
YES, like I said - I followed the installation instructions to a tee.
Which brings to mind the question - why assign the web services to run under
different accounts - wont that deny the logged on (interactive) user if he
isnt that user (CatalogWebSvc). Also the Business User Applications are supp
sed to use all the web services, so how can the logged on user possibly get
access to them? I dont understand this permission model.
"Sudha Raghavan [MSFT]" wrote:
> Have you given CatalogWebSvc identity access to the correct DBs, Azman
> files etc as specified in the installation guide?
>
> Thanks
> Sudha
> --------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2005 Microsoft Corporation. All rights
reserved.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
Have a Commerce Server “How To” question? Help is a click away at our
Chats, Newsgroups and Web logs
Chats (2nd Wednesday of the month from 11 to Noon):
http://www.msdn.microsoft.com/chats/
Public newsgroups:
http://www.microsoft.com/technet/co...r/commerce.mspx
Web logs and community:
http://www.microsoft.com/commercese...ty/default.mspx
Other resources:
http://www.microsoft.com/technet/pr...02/default.mspx
| |
| CodeDigger 2006-09-01, 7:40 pm |
| Yes Integrated Security was always turned on. And yes the logged in user is a
System Administrator - a valid user on the domain/workgroup
| |
| Søren Spelling Lund 2006-09-04, 1:23 pm |
| CodeDigger wrote:
>
>
> "Sren Spelling Lund" wrote:
>
>
> So is this a production permission model setup? What should we do as
> Developers when we need to run the Business user applications which
> require all the web services to be accessible to the logged-on
> (current) user?
You just add the developers to the relevant groups on Authorization
Manager (AzMan). I run each of my developers as admin in the Business
Tools as they need full access to do modifications.
--
|
|
|
|