In the application pool within IIS, I have changed the identity (in advanced settings) of the application pool which is hosting web services to "NetworkService". I expected my web service to now run with identity "nt authority\network service" but instead it runs with identity Domain\computername$.
I would highly appreciate help on any system or IIS configuration parameters that I might have overlooked or missed.
IIS 7.5
Windows 7 Professional Service Pack 1
Related
I built a WCF Data Service hosted in an ASP NET App that runs with IIS 7.
I'm able to access this service from other computers across the network just fine.
The thing is that I have DefaultAppPool set to NetwrokService, if I set it to ApplicationPoolIdentity, then the connection between Wpf Applications and the Data Service breaks.
Why?, In SQL Server Express 2012 I'm using "NT AUTHORITY\Servicio de red" ("Servicio de red" is "Network Service" in spanish) mapped to my database.
I understand that NetworkService is present in IIS7 for compatibility with previous versions, and IIS7 introduced ApplicationPoolIdentity to increase security since many applications use NetworkService.
That´s why I´d like to be able to use this ApplicationPoolIdentity but I don't know what setting is necessary for it to work.
My authentication setting is:
Rafael
Did you add IIS APPPOOL\DefaultAppPool to the users in SQL Server? (I assume your SQL Server is on the same machine as the IIS server? If not, then you have to add your computer name from the domain)
I have a web application (developed in ASP.net 4.0) hosted in IIS 6.0 on Windows Server 2003 R2 machine. Integrated Windows Authentication is turned on for this web application.
I have hosted a web service (developed using WCF) in IIS 7.5 on Windows Server 2008 R2 machine. 'Windows Authentication is enabled for this web application too.
I log on to my local machine using my windows domain account. When I browse the web application, it asks me my domain username and password. In web app, I get my identity correctly.
From my machine (using some other Winform app), if I call the same web application (of a web service), service code executes under my windows identity.
So Integrated Windows Authentication works fine independently for both the web apps hosted in separate IIS on different machines.
Problem comes when the web application is browsed from my local machine and web page calls the service internally. In this case, "service does not run under my windows identity" as expected. It either runs under identity of the application pool of either asp.net web app or the web service's web app.
I don't want my web service to take responsibility of authenticating the user. It would use simple basicHttpBinding. It will just read name of the user using CurrentPrincipal or HttpContext etc. Validating user's identity should be done by the IIS only.
Can someone help me to pass on my windows identity from one IIS to another?
You need to set up kerberos delegation as identity won't be passed to another machine by default.
https://web.archive.org/web/20190419225807/https://blogs.technet.microsoft.com/askds/2008/11/25/fun-with-the-kerberos-delegation-web-site/
I'm a bit confused about how ASP.NET, what user it runs under? On iis 7.5 and on 6.0
A few of the user accounts that I'm not clear on are
Network Service
IUSR
AppPool
Any clarification on the different users would be appreciated and security considerations/etc.
In summary:
IIS 5.1 (Windows XP) - it's a local ASPNET account
IIS 6 - by default, application pools run under the Network Service account which is a member of IIS_WPG group
IIS 7.0 - still Network Service
IIS 7 SP2 / 7.5 - runs under an ephemeral thing called ApplicationPoolIdentity which maps to an account IIS APPPOOL\ApplicationPool (e.g. IIS APPPOOL\DefaultAppPool). This account is a member of IIS_IUSRS user group
ASP.NET Web Development Server (Cassini) - it's obviously your own account
And it's a good practice to create a custom low-privileged account to run your application especially on PROD environment or when you need to access the network from the application.
ASP.net by default runs underneath the IIS_IUSRS user group. So if you need to grant permission to allow your application to run, use that group.
My web application is a product which has to deploy to a variety of web servers. Is there a way to determine the account name that the .Net worker process account is using at runtime?
Using .Net 3.5, C#
Thanks in advance
-Pete
Have you tried System.Environment.UserName ?
Edit:
You're right, the environment username doesn't seem to work. Here's something else you could try, which I've tested on IIS 7 / Windows Vista:
System.Security.Principal.WindowsIdentity.GetCurrent().Name
Returns "NT AUTHORITY\NETWORK SERVICE" for me since my default app pool runs as network service.
I've a small asp.net application which write logs on the file system in a directory 'Logs'.
I've given the modify permission to Asp.Net machine account for this folder which works fine. However when I tried to deployed it to the another server it doesn't work. I have to give the same modify permission to Network service account also. Why?
Because that's the account that's used to run the application pools under. So on IIS6 and 7 this will be the case. On workstations with IIS5, you won't have application pools, and so the ASP.NET worker process runs under the local ASPNET account.
Also, it's better to grant the permissions on the IIS_WPG local group, of which the Network Service is a member.
Because on your local machine IIS worker process runs under Asp.Net machine account but on a windows server IIS worker process runs under Network service account.