Re: Security issues with Win2003 and ASPNet app

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 04/29/05 

Date: Thu, 28 Apr 2005 23:00:43 -0700

Hello Joe,

and have you cleared "has to change password on first login" ??

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Did you try logging in to the server with that domain account to be
> sure that you have the credentials right and it can log on locally?
>
> Joe K.
>
> "RichardF" <noone@nowhere.com> wrote in message
> news:73g271h1f1l3or2cvpofouc8odl04joh11@4ax.com...
>
>> The event log says that the identity of my app pool is invalid.
>>
>> I created a domain account on the domain server.
>>
>> On the SQL Server I gave that account the appropriate permissions.
>>
>> On the IIS Server I set the identity of the app pool to use that
>> account.
>>
>> What did I do wrong this time!!!
>>
>> RichardF
>>
>> (P.S. Thanks for the help so far - I am learning more that I thought
>> I wanted to!)
>>
>> On Thu, 28 Apr 2005 12:23:14 -0700, Dominick Baier [DevelopMentor]
>> <dbaier@pleasepleasenospamdevelop.com> wrote:
>>
>>> Hello RichardF,
>>>
>>> check the event log! that's most of the time a password typo.
>>>
>>> but the system log will give you more info.
>>>
>>> otherwise change the default apppool back to network service - and
>>> try
>>> adding
>>> a new migrating gradually your web apps to this new pool.
>>> HTH
>>>
>>> ---------------------------------------
>>> Dominick Baier - DevelopMentor
>>> http://www.leastprivilege.com
>>>> Actually it appears I now get Service Unavailable whenever I try to
>>>> access IIS on that machine, even the default root website.
>>>>
>>>> On Thu, 28 Apr 2005 14:10:53 -0500, RichardF <noone@nowhere.com>
>>>> wrote:
>>>>
>>>>> After installing my web service and web site, they had already
>>>>> been added to a default App Pool.
>>>>>
>>>>> I right clicked the app pool, went to the identity tab and changed
>>>>> it to use the domain user account I have created.
>>>>>
>>>>> Then I added that domain user account to the IIS_WPG group.
>>>>>
>>>>> When I try to access the web site/service from IE on another
>>>>> machine I see my initial logon page but after entering a
>>>>> username/password IE displays a Service Unavailable message.
>>>>>
>>>>> Before I made the changes above, I would get an error indicating
>>>>> that SQL had denied me access.
>>>>>
>>>>> Did I miss something?
>>>>>
>>>>> RichardF
>>>>>
>>>>> On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]
>>>>> <dbaier@pleasepleasenospamdevelop.com> wrote:
>>>>>
>>>>>> Hello RichardF,
>>>>>>
>>>>>> you can configure the identity of your web service using the
>>>>>> Application Pool feature of IIS6.
>>>>>>
>>>>>> Add a new AppPool - give it an identity (local or domain) - and
>>>>>> add the web service application to the AppPool (WebApp
>>>>>> properties)
>>>>>>
>>>>>> Add the account to IIS_WPG and give it access to
>>>>>> \windows\microsoft.net\framework\v\temporary asp.net files\ and
>>>>>> \windows\temp
>>>>>>
>>>>>> HTH
>>>>>>
>>>>>> ---------------------------------------
>>>>>> Dominick Baier - DevelopMentor
>>>>>> http://www.leastprivilege.com
>>>>>>> I have an ASP.NET Web Service and Web Site. It accesses a SQL
>>>>>>> database for its data and retrieves images from another server.
>>>>>>>
>>>>>>> There are 4 servers all running Win 2003 as follows...
>>>>>>>
>>>>>>> 1 - Domain Controller
>>>>>>> 2 - SQL Server
>>>>>>> 3 - IIS Server (runs Web Service and Web Site)
>>>>>>> 4 - File Server (stores all the image files)
>>>>>>> I am having lots of issues with permissions because my Web
>>>>>>> Service
>>>>>>> is
>>>>>>> running as a user under a LOCAL group IIS_WPG on the IIS Server
>>>>>>> and
>>>>>>> I
>>>>>>> don't know how to give it the necessary permissions to access
>>>>>>> the
>>>>>>> SQL
>>>>>>> Server and the Images on different machines.
>>>>>>> I think what I need to do is create a Domain Account, give it
>>>>>>> the
>>>>>>> appropriate permissions and then somehow get my Web Service to
>>>>>>> run
>>>>>>> using that user account. I did try this using 'impersonate' but
>>>>>>> then it appeared i didn't have permission to tun ASP.NET stuff!
>>>>>>> Can anyone give me tips on how to accomplish this, or point me
>>>>>>> to a resource that explains how I can accomplish this.
>>>>>>>
>>>>>>> Thanks for any help
>>>>>>>
>>>>>>> RichardF
>>>>>>>

Relevant Pages

  • Re: Security issues with Win2003 and ASPNet app
    ... The event log says that the identity of my app pool is invalid. ... On the SQL Server I gave that account the appropriate permissions. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Kerberos Authentication Errors
    ... We're having an issue with Kerberos authentication for an ASP.NET app. ... up to run under a domain account instead of NETWORK SERVICE. ... Now we want to remove the domain user from the app pool and go back to ... server host/ourserver.ourdomain. ...
    (microsoft.public.inetserver.iis)
  • Re: Authentication on AS
    ... The actual NT account being used is the SQL service account. ... domain account in common with AS and the RDBMS machines. ... linked server from the RDBMS machine itself? ...
    (microsoft.public.sqlserver.olap)
  • Send SMTP mail permission problem
    ... domain account is assigned to the local administrator account. ... SMTP mail messages to be sent through an SMTP server, ... The machine "owner" user domain account can not run the custom application ...
    (microsoft.public.windowsxp.general)
  • Re: Sql Service Account Password not retained through reboots
    ... The server is a production server that was recently commissioned. ... The domain account is a dedicated account for this server. ...
    (microsoft.public.sqlserver.server)