I tried to ask this question in VS.NET news groups but folks there refered m
e
to this group. Also this is a RE-Post as I didn't have my question answered
in 3 days.
----------------------------------------------------------------------------
----------------
I am creating a setup application for my ASP.NET web site. I need to make
several directories in that web writable for the account running ASP.NET
application during the installation process - change ACLs on those
directories.
The problem for me is to find out which windows account will be running the
web application I am installing. I need to get this information
programmatically from within the installer.
I would also prefer a method that will work for IIS 5 as well, although
there, I have been told, we could parse machine.config file to extract the
identity information. But if there is some universal WMI call (or some other
technology) that will just give me the identity of an IIS web site or virtua
l
directory that would be great.
If not, please give me some other direction. I really don’t want to give
“Everyone” “Full Control” on those folders.

Thank you.

--
http://www.zbitinc.com

[ Post a follow-up to this message ]

--------------------[vbcol=seagreen] 
refered me[vbcol=seagreen] 
answered[vbcol=seagreen] 
----------------------------------------------------------------------------
----------------[vbcol=seagreen] 
the[vbcol=seagreen] 
the[vbcol=seagreen] 
other[vbcol=seagreen] 
virtual[vbcol=seagreen] 
give[vbcol=seagreen] 

Do you have access to the .NET Framework SDK if so you can use the .Net
WindowsIdentityClass to get the account information...

http://msdn.microsoft.com/library/d...-us/cpref/html/
 frlrfsystemsecurityprincipalwindowsident
ityclasstopic.asp

This should work with both IIS 5 and up ... Let me know if you need any
additional information...

Thanks,
Stefan Schachner
Microsoft Community Tech Lead
This posting is provided �AS IS� with no warranties, and
confers no rights.

[ Post a follow-up to this message ]

Thanks for the reply.
I probably didn't make myself clear.
I would like to know the identity of the ASP.NET user not when running web
application itself already, but before I install it. From within the
installer I have to know which windows user account to give write access to
certain folders within the web that is being installed – please see the
original post. When it's already installed I don't think I can do much there
anymore.
Let me try to explain it in a different way:
1. I am setting up a web application.
2. I am selecting a web or virtual directory to install my app to during
installation.
3. The web application contains the following folders structure:
/html
/html/controls
/html/logs
4. I want to be able to create files inside the /html/logs directory when
the web application runs programmatically
5. To be able to create files in the /html/logs folder a windows user
Account running the web application has to have “write” permission to th
e
/html/logs folder.
6. Because each server is configured differently I can not hardcode any
value (like “ASPNET” or “NETWORK ACCOUNT”) into my setup program. So
 I have
to determine it dynamically when the setup program runs.
7. Hence the question: How to determine the identity of the account running
certain web site or virtual directory?

So, do you have any suggestions?

Thank you.

[ Post a follow-up to this message ]

--------------------[vbcol=seagreen] 
<pj71rDkhEHA.2632@cpmsftngxa10.phx.gbl>[vbcol=seagreen] 
web[vbcol=seagreen] 
to[vbcol=seagreen] 
there[vbcol=seagreen] 
the[vbcol=seagreen] 
So I have[vbcol=seagreen] 
running[vbcol=seagreen] 
For ASP.NET - C#:

Here is a sample that will allow you to get the account information...

// Create a text box called "txtInfo" on an ASP.NET form
// Add "using System.Web.Security;" at the top of the form.
// Add the code below to a new button
// run the form and click the button.
string sInfo = "";
sInfo = "Authentication Information" + "\n";
sInfo += "User:" + "\n";
sInfo += " IdentityIsAuthenticated: " +
User.Identity.IsAuthenticated.ToString() +
"\n";
sInfo += " IdentityName: " + User.Identity.Name + "\n";
sInfo += " IdentityAuthenticationType: " + User.Identity.AuthenticationType
+
"\n";
sInfo += " IsInAdminRole: " + User.IsInRole("Administrators").ToString() +
"\n";
sInfo += "Current User:" + "\n";
sInfo += " WindowsIdentity: " +
System.Security.Principal.WindowsIdentity.GetCurrent().Name + "\n";
sInfo += " AuthenticationType: " +
System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationType +
"\n";
txtInfo.Text = sInfo;

IHTH,

Stefan Schachner
Microsoft Community Tech Lead
This posting is provided �AS IS� with no warranties, and
confers no rights.

[ Post a follow-up to this message ]

Dear Stefan,

The information you provide is certainly valuable, but it does NOT answer my
question.
You are answering the questions "How can I find out the identity of a user
running my current ASP.NET application from WITHIN the ASP.NET application
itself?"
This is NOT my question.
My question is "How can I programmatically retrieve identity of an
application pool running an ASP.NET application from EXTERNAL application -
namely an installer app?"

This is very different question and I think is much harder too.

Once again, I am running a separate program (for the sake of simplicity lets
say an exe windows application) and from that EXTERNAL program I need to
somehow find out certain configuration parameters of IIS. The parameter that
I want to find out is the windows user account running one of the webs on th
e
IIS.
I hope that makes it clear. Just in case, I am including 2 of my original
posts in here, which I am asking you to read again please as they do describ
e
the situation in all the details.

Thank you very much.

POST#1:
I am creating a setup application for my ASP.NET web site. I need to make
several directories in that web writable for the account running ASP.NET
application during the installation process - change ACLs on those
directories.
The problem for me is to find out which windows account will be running the
web application I am installing. I need to get this information
programmatically from within the installer.
I would also prefer a method that will work for IIS 5 as well, although
there, I have been told, we could parse machine.config file to extract the
identity information. But if there is some universal WMI call (or some other
technology) that will just give me the identity of an IIS web site or virtua
l
directory that would be great.
If not, please give me some other direction. I really don’t want to give
“Everyone” “Full Control” on those folders.

Thank you.


POST#2:
I probably didn't make myself clear.
I would like to know the identity of the ASP.NET user not when running web
application itself already, but before I install it. From within the
installer I have to know which windows user account to give write access to
certain folders within the web that is being installed – please see the
original post. When it's already installed I don't think I can do much there
anymore.
Let me try to explain it in a different way:
1. I am setting up a web application.
2. I am selecting a web or virtual directory to install my app to during
installation.
3. The web application contains the following folders structure:
/html
/html/controls
/html/logs
4. I want to be able to create files inside the /html/logs directory when
the web application runs programmatically
5. To be able to create files in the /html/logs folder a windows user
Account running the web application has to have “write” permission to th
e
/html/logs folder.
6. Because each server is configured differently I can not hardcode any
value (like “ASPNET” or “NETWORK ACCOUNT”) into my setup program. So
 I have
to determine it dynamically when the setup program runs.
7. Hence the question: How to determine the identity of the account running
certain web site or virtual directory?

So, do you have any suggestions?

""Stefan Schachner[MSFT]"" wrote:

>
> -------------------- 
> <pj71rDkhEHA.2632@cpmsftngxa10.phx.gbl> 
> web 
> to 
> there 
> the 
> So I have 
> running 
> For ASP.NET - C#:
>
> Here is a sample that will allow you to get the account information...
>
> // Create a text box called "txtInfo" on an ASP.NET form
> // Add "using System.Web.Security;" at the top of the form.
> // Add the code below to a new button
> // run the form and click the button.
> string sInfo = "";
> sInfo = "Authentication Information" + "\n";
> sInfo += "User:" + "\n";
> sInfo += " IdentityIsAuthenticated: " +
> User.Identity.IsAuthenticated.ToString() +
> "\n";
> sInfo += " IdentityName: " + User.Identity.Name + "\n";
> sInfo += " IdentityAuthenticationType: " + User.Identity.AuthenticationTyp
e
> +
> "\n";
> sInfo += " IsInAdminRole: " + User.IsInRole("Administrators").ToString() +
> "\n";
> sInfo += "Current User:" + "\n";
> sInfo += " WindowsIdentity: " +
> System.Security.Principal.WindowsIdentity.GetCurrent().Name + "\n";
> sInfo += " AuthenticationType: " +
> System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationType 
+
> "\n";
> txtInfo.Text = sInfo;
>
> IHTH,
>
> Stefan Schachner
> Microsoft Community Tech Lead
> This posting is provided “AS IS” with no warranties, and
> confers no rights.
>
>

[ Post a follow-up to this message ]

--------------------[vbcol=seagreen] 
<pj71rDkhEHA.2632@cpmsftngxa10.phx.gbl>
<337918F3-415D-43B8-90EB-662C66892CAC@microsoft.com>
<#oOrQvkhEHA.3936@cpmsftngxa10.phx.gbl>[vbcol=seagreen] 
my[vbcol=seagreen] 
user[vbcol=seagreen] 
application[vbcol=seagreen] 
-[vbcol=seagreen] 
lets[vbcol=seagreen] 
that[vbcol=seagreen] 
the[vbcol=seagreen] 
describe[vbcol=seagreen] 
the[vbcol=seagreen] 
the[vbcol=seagreen] 
other[vbcol=seagreen] 
virtual[vbcol=seagreen] 
give[vbcol=seagreen] 
web[vbcol=seagreen] 
to[vbcol=seagreen] 
there[vbcol=seagreen] 
the[vbcol=seagreen] 
So I have[vbcol=seagreen] 
running[vbcol=seagreen] 
running[vbcol=seagreen] 
access[vbcol=seagreen] 
please see the[vbcol=seagreen] 
much[vbcol=seagreen] 
during[vbcol=seagreen] 
when[vbcol=seagreen] 
permission to[vbcol=seagreen] 
any[vbcol=seagreen] 
into my setup program.[vbcol=seagreen] 
User.Identity.AuthenticationType[vbcol=seagreen] 
User.IsInRole("Administrators").ToString() +[vbcol=seagreen] 
System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationType +[vbcol=seagreen] 

Ahhh.. Ok . I am going to need to look into that... Right off hand I can't
think of a way, but I will definatley look into it and see what  I can come
up with...


Thanks,
Stefan Schachner
Microsoft Community Tech Lead
This posting is provided �AS IS� with no warranties, and
confers no rights.

[ Post a follow-up to this message ]

[ Post a follow-up to this message ]

Dear Stefan,

Now we are getting much closer!
Finally I was able to make myself clear.
I do need more details however.
When you say "3.	If IIS6 use WMI or ADSI to read metabase and find the
AppPool that is configured to run the web application, then query for the
Identity that is configured on that AppPool"
that is EXACTLY the essence of my question. That is HOW exactly do I do it?

Any small sample would do. The documentation for WMI and ADSI is so sparse
that it’s very hard (if at all possible) to make out how to get this
information from IIS. Please show me the details.

Yes, we can rely on the assumption that an Administrative account will be
running setup of a web. Also, if you don't want to post this info publicly
you can send me a direct email, although I would think that Anybody who
creates web setups would come across this same problem and this information
would be extremely valuable to them.

Thank you.


""Stefan Schachner[MSFT]"" wrote:

> 
> my 
> user 
> application 
> - 
> lets 
> that 
> the 
> describe 
> the 
> the 
> other 
> virtual 
> give 
> web 
> to 
> there 
> the 
> So I have 
> running 
> running 
> access 
> please see the 
> much 
> during 
> when 
> permission to 
> any 
> into my setup program. 
> User.Identity.AuthenticationType 
> User.IsInRole("Administrators").ToString() + 
> System.Security.Principal.WindowsIdentity.GetCurrent().AuthenticationType 
+ 
> After looking over this issue,  there is a way ... But the account is goin
g
> to need an admin and I am not sure you want that type of information out o
n
> the wire...
>
> So If you can guarantee that the logged on user will have local admin
> permissions and scripting is enabled (some server hardening guides
> recommend disabling scripting) you will be able to:
>
> 1.	Detect IIS version (it's in the registry)
> 2.	If IIS5.x, use FileSystemObjects or WMI to read machine.config and get
> account name
> 3.	If IIS6 use WMI or ADSI to read metabase and find the AppPool that is
> configured to run the web application, then query for the Identity that is
> configured on that AppPool
>
> The user installing the app will determine the user context the "detection
> code" runs in, but a local admin will be required to read the metabase.
>
> Does this make sense?
>
>
> Thanks,
> Stefan Schachner
> Microsoft Community Tech Lead
> This posting is provided “AS IS” with no warranties, and
> confers no rights.
>
>

[ Post a follow-up to this message ]

--------------------[vbcol=seagreen] 
it?[vbcol=seagreen] 
sparse[vbcol=seagreen] 
publicly[vbcol=seagreen] 
information[vbcol=seagreen] 
Ok ... Let me see if I can write something ..

This site also has a number scripts that you can use to access the IIS 6
metabase ...
http://www.iisfaq.com/Default.aspx?tabid=2538

Thanks,
Stefan Schachner
Microsoft Community Tech Lead
This posting is provided �AS IS� with no warranties, and
confers no rights.

[ Post a follow-up to this message ]

--------------------[vbcol=seagreen]
> 
the[vbcol=seagreen] 
be[vbcol=seagreen] 
This a very simple script to retrieve the configured identity of any
specified app pool. It only takes two args � the first is the target server
name, the second is the name of the app pool you are querying. This only
works on IIS6 (no IIS WMI provider on 4 or 5)



 '***************************************
*****************************

'*

'*  This is a sample script only - Not intended for production use

'*

 '***************************************
*****************************



set WshArgs = WScript.Arguments



if WshArgs.Length = 2 then



dim machineName, poolName

machineName = WshArgs(0)

poolName = WshArgs(1)



set providerObj = GetObject("winmgmts://" & machineName &
"/root/MicrosoftIISv2")

set PoolObj = providerObj.get("IIsApplicationPoolSetting='W3SVC/AppPools/"
& poolName & "'")

set PoolMan = providerObj.get("IIsApplicationPool='W3SVC/AppPools/" &
poolName & "'")



if (PoolObj.AppPoolIdentityType = 0) then

WScript.Echo poolName & " is currently configured to run as Local System"

end if



if (PoolObj.AppPoolIdentityType = 1) Then

WScript.Echo poolName & " is currently configured to run as Local Service"

end if



if (PoolObj.AppPoolIdentityType = 2) Then

WScript.Echo poolName & " is currently configured to run as Network
Service"

end if



if (PoolObj.AppPoolIdentityType = 3) Then

WScript.Echo poolName & " is currently configured to run as " &
PoolObj.WAMUserName

end if



else

WScript.Echo "Usage:"

WScript.Echo WScript.ScriptName &" <computer name> <app pool name>"

WScript.Echo "Example:"

WScript.Echo WScript.ScriptName &" MyMachine DefaultAppPool"

end if



IHTH,

Stefan Schachner
Microsoft Community Tech Lead
This posting is provided �AS IS� with no warranties, and
confers no rights.

[ Post a follow-up to this message ]