In order to keep application secrets out of source code I want to use Integrated Security to connect my ASP.NET MVC application to SQL Server. However, IIS Express uses my development machine's account as the Identity for Integrated Security, which has different permissions from the AppPoolIdentity on production. I want to connect to SQL server using the same permissions in development as in production, which seems like something that should be easy to do, but I have had no luck.
Apparently it is impossible to set the Identity used by IIS Express except using "runas" which I could not get to work: how to run iisexpress app pool under a different identity
Things I've tried:
IIS Express
Create a User in "Edit local users and groups" and add it to "IIS_IUSRS" group.
Create AppPool in IIS Express manager (Jexus manager)
Setting AppPool > ProcessModel > Identity to newly created User, which fails.
(However setting AppPool Identity works in IIS Manager (not express))
Create site and configure path and ApplicationPool
Application successfully launches through Jexus manager, however still using my Windows account like it does launching from Visual Studio
IIS
Create app pool and log in as newly created user (succeeds unlike Jexus manager)
Create and configure site to use https and IIS Express development cert
Get 500 error when trying to launch the same way as with Jexus manager
I would rather launch the app from Visual Studio anyway
Impersonation
Requires credentials in web.config defeating the purpose of Integrated Security
It's important we manage secrets internally so Azure Key vault or other similar 3rd-party solutions are off the table.
It's beginning to seem impossible to configure IIS Express AppPools to use an Identity other than the currently logged in user: Link1 and Link2. The second link describes a method using "runas" from cmd as Admin but using System.Security.Principal.WindowsIdentity.GetCurrent().Name to check the ApplicationPool identity still shows my logged in Identity, not the one I used in the "runas" command.
What are my options? I would like to use Integrated Security for both dev and prod, with the same permissions on each. Is this possible? Is there an equivalent workaround?
I am not able to change Application Pool Identity. I am using IIS 7.5 on Windows 7, 32-bit. I want to create username jdl\UEServices. Here is my attachment:
You cannot create accounts in IIS. In IIS you configure the process to run under an existing account.
Therefore, the account must be created in Active Directory or in the control panel under accounts.
I'm trying to deploy my ASP.NET website locally to IIS 7.5 on Windows 7, and I keep receiving the same error. I've never deployed to IIS before.
Error:
Authorization: Cannot verify acces to path (c:\inetpub\wwwroot\website)
Message:
The server is configured to use pass-through authentication with a
built-in account to access the specified physical path. However, IIS
Manager cannot verify whether the built-in account has access. Make
sure that the application pool identity has Read access to the
physical path. If this server is joined to a domain, and the
application pool identity is NetworkService or LocalSystem, verify
that \$ has Read access to the physical path.
Then test these settings again.
I'm using the .NET Framework 4.0.30319
It was to do with the permissions set in the Application Pool, they must be correct in order for the application to run locally on IIS.
Application Pools
-> Right click Pool
-> Advanced Settings
-> Process Model
-> Identity
And my identity was set to the email used for the particular application
I am asking about the account of the user which run the ASP.NET/IIS (or Cassini or IIS Express) application. I am asking about the defaults. There is very much confusion out there. Googling shows me lot of types of users, for example,
my-computer-name\myname user,
IIS APPPOOL\ASP.NET v4 user,
IIS_WPG,
IIS_IUSRS user,
Network service user,
AspNet user,
IUSR_MachineName user,
IIS_IUSRS user,
IUSR user,
IIS_WPG user,
IWAM_computername user,
IIS APPPOOL\DefaultAppPool user.
These are quite confusing.
Cassini runs under account that started VS. So default would be currently logged windows user, runas will run under specific user account.
Application on IIS runs using application pool. Here is snipp from default site:
Every Application pool can be configured using Advanced settings:
I should also point out possible impersonation, where context runs under impersonated user. This user can be provided by IIS or using code. Here is sample how to configure IIS impersonation (Authentication tab for specific app):
Hope this helps!
Well, for one this is different based on the version of Windows that you are running. And second, you are asking about 3 different servers. So that is probably what is making it confusing.
Development servers
First, the easiest one: Cassini. This server runs under the same account and with the same privileges as the Visual Studio instance that it's started from. Usually, this is just your own Windows account.
IIS Express uses the exact same code-base as IIS, but it will run under your own Windows account as well, the same account that started Visual Studio (or Web Matrix for that matter).
IIS 6.0
Now for IIS proper. Here you may find many accounts. First of all, the 'old' IIS 6.0 that you will still find on Windows Server 2003 machines would use the following accounts:
Network Service (default and recommended worker processes identity for application pools in IIS 6.0 and above)
Local Service (pretty limited access)
Local System (used for the worker process when running in 'IIS 5.0 isolation mode', member of Administrators and has full access)
IIS_WPG (short for Worker Process Group, not an account, but a group, worker process identities should be member of this group, to get minimal required permissions)
IUSR_ComputerName (not used for a worker process, but rather to map anonymous visitors to a Windows account)
IWAM_{ComputerName} (for IIS 5.0 isolation mode, you'd typically use application pools for isolation nowadays)
ASPNET (also for IIS 5.0 isolation mode, it looks like the ASP.NET account, but in most cases it isn't)
(This list is based on the TechNet article IIS and Built-in Accounts (IIS 6.0).)
IIS 7 and above
For IIS 7, some of these listed above are no longer relevant, and some are replaced. Since these accounts are built-in to Windows, they have the same SSID everywhere, which may come in handy now and then.
If you upgraded a server from Windows 2003 to Windows 2008, of if you install IIS 6.0 compatibility features or older IIS components, you may have the old and the new accounts on one machine.
IUSR (*replaces IUSR_{ComputerName}, so used to map anonymous users by default*)
IIS_IUSRS (*replaces the IIS_WPG group, and so is not an account but rather a group*)
(This is based on the article Understanding Built-In User and Group Accounts in IIS 7.)
AppPool identities (since IIS 7.0)
This list is now almost complete, but we still need to understand a special type of account: the 'dynamic' AppPool identities. These are not actual accounts on the machine like the others, e.g. you can't find them listed as users in Windows. But they are virtual accounts created on the fly for the application pools, if you choose the ApplicationPoolIdentity option.
If you need to give such an account access privileges to a file or folder, you can still search for the account by typing: IIS AppPool{DefaultAppPool} (replace {DefaultAppPool} with the name of the application pool that you created).
(You can read more about this in Application Pool Identities on iis.net.)
When you install .NET 4.0, then IIS adds a new application pool to be able to run new .NET 4.0 web applications alongside the existing .NET 2.0 web applications. The installer gives this application pool the name ASP.NET v4.0, and uses the option ApplicationPoolIdentity. Hence a dynamic account is created for this new application pool, whether you use it or not.
I've a small asp.net application which write logs on the file system in a directory 'Logs'.
I've given the modify permission to Asp.Net machine account for this folder which works fine. However when I tried to deployed it to the another server it doesn't work. I have to give the same modify permission to Network service account also. Why?
Because that's the account that's used to run the application pools under. So on IIS6 and 7 this will be the case. On workstations with IIS5, you won't have application pools, and so the ASP.NET worker process runs under the local ASPNET account.
Also, it's better to grant the permissions on the IIS_WPG local group, of which the Network Service is a member.
Because on your local machine IIS worker process runs under Asp.Net machine account but on a windows server IIS worker process runs under Network service account.