Re: Security issues with Win2003 and ASPNet app

From: RichardF (noone_at_nowhere.com)
Date: 04/28/05

  • Next message: Joe Kaplan \(MVP - ADSI\): "Re: Security issues with Win2003 and ASPNet app" 
    Date: Thu, 28 Apr 2005 15:04:22 -0500

    The event log says that the identity of my app pool is invalid.

    I created a domain account on the domain server.

    On the SQL Server I gave that account the appropriate permissions.

    On the IIS Server I set the identity of the app pool to use that
    account.

    What did I do wrong this time!!!

    RichardF

    (P.S. Thanks for the help so far - I am learning more that I thought I
    wanted to!)

    On Thu, 28 Apr 2005 12:23:14 -0700, Dominick Baier [DevelopMentor]
    <dbaier@pleasepleasenospamdevelop.com> wrote:

    >Hello RichardF,
    >
    >check the event log! that's most of the time a password typo.
    >
    >but the system log will give you more info.
    >
    >otherwise change the default apppool back to network service - and try adding
    >a new migrating gradually your web apps to this new pool.
    >
    >HTH
    >
    >---------------------------------------
    >Dominick Baier - DevelopMentor
    >http://www.leastprivilege.com
    >
    >> Actually it appears I now get Service Unavailable whenever I try to
    >> access IIS on that machine, even the default root website.
    >>
    >> On Thu, 28 Apr 2005 14:10:53 -0500, RichardF <noone@nowhere.com>
    >> wrote:
    >>
    >>> After installing my web service and web site, they had already been
    >>> added to a default App Pool.
    >>>
    >>> I right clicked the app pool, went to the identity tab and changed it
    >>> to use the domain user account I have created.
    >>>
    >>> Then I added that domain user account to the IIS_WPG group.
    >>>
    >>> When I try to access the web site/service from IE on another machine
    >>> I see my initial logon page but after entering a username/password IE
    >>> displays a Service Unavailable message.
    >>>
    >>> Before I made the changes above, I would get an error indicating that
    >>> SQL had denied me access.
    >>>
    >>> Did I miss something?
    >>>
    >>> RichardF
    >>>
    >>> On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]
    >>> <dbaier@pleasepleasenospamdevelop.com> wrote:
    >>>
    >>>> Hello RichardF,
    >>>>
    >>>> you can configure the identity of your web service using the
    >>>> Application Pool feature of IIS6.
    >>>>
    >>>> Add a new AppPool - give it an identity (local or domain) - and add
    >>>> the web service application to the AppPool (WebApp properties)
    >>>>
    >>>> Add the account to IIS_WPG and give it access to
    >>>> \windows\microsoft.net\framework\v\temporary asp.net files\ and
    >>>> \windows\temp
    >>>>
    >>>> HTH
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> I have an ASP.NET Web Service and Web Site. It accesses a SQL
    >>>>> database for its data and retrieves images from another server.
    >>>>>
    >>>>> There are 4 servers all running Win 2003 as follows...
    >>>>>
    >>>>> 1 - Domain Controller
    >>>>> 2 - SQL Server
    >>>>> 3 - IIS Server (runs Web Service and Web Site)
    >>>>> 4 - File Server (stores all the image files)
    >>>>> I am having lots of issues with permissions because my Web Service
    >>>>> is
    >>>>> running as a user under a LOCAL group IIS_WPG on the IIS Server and
    >>>>> I
    >>>>> don't know how to give it the necessary permissions to access the
    >>>>> SQL
    >>>>> Server and the Images on different machines.
    >>>>> I think what I need to do is create a Domain Account, give it the
    >>>>> appropriate permissions and then somehow get my Web Service to run
    >>>>> using that user account. I did try this using 'impersonate' but
    >>>>> then it appeared i didn't have permission to tun ASP.NET stuff!
    >>>>>
    >>>>> Can anyone give me tips on how to accomplish this, or point me to a
    >>>>> resource that explains how I can accomplish this.
    >>>>>
    >>>>> Thanks for any help
    >>>>>
    >>>>> RichardF
    >>>>>
    >
    >

  • Next message: Joe Kaplan \(MVP - ADSI\): "Re: Security issues with Win2003 and ASPNet app"

    Relevant Pages

    • Re: Error joining domain
      ... related errors in the event log. ... I took the server out of the domain. ... I deleted the account from AD. ... This is a direct link to the Microsoft Public ...
      (microsoft.public.win2000.dns)
    • Re: Computers falling off network
      ... I'd be interested to know if anything shows in the event log on ... either the workstation or server when this happens. ... Server CD support tools folder). ... That causes other issues like computer account ...
      (microsoft.public.win2000.general)
    • Re: Errors publishing to Project Server 2003
      ... Server 2003 and has the services running under the 'Local Service' ... needs to be assigned a 'Log On As' with an account that ... > The last error listed is from the security event log and occurs at the same ... > Component: PjViewMgr ...
      (microsoft.public.project.pro_and_server)
    • Re: I_User account is denied access
      ... get the error message in the system event log: The server ... account, even the accounts we have to run a COM+ ... >> that is hosting multiple websites and associated IP ...
      (microsoft.public.inetserver.iis.security)
    • Re: incoming e-mail and app pool identity
      ... I checked on the account that the timer service is run as, ... with the same account as the Central Admin app pool. ... application pool and under which the Windows SharePoint Services Timer ... The following provides the information about the role of the server farm ...
      (microsoft.public.sharepoint.portalserver)