Re: IIS6 Network Service Identity - when needed?
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 02/03/05
- Next message: Anakin_ch: "IIS Multiple Web Server"
- Previous message: Bernard: "Re: IIS DefaultAppPool Identiy - Service Unavailable"
- In reply to: Joe Krings: "IIS6 Network Service Identity - when needed?"
- Next in thread: Joe: "Re: IIS6 Network Service Identity - when needed?"
- Reply: Joe: "Re: IIS6 Network Service Identity - when needed?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 2 Feb 2005 21:32:51 -0800
I would think that the developer of the application should hand you the
requirements -- not you retroactively trying to reverse-engineer the
requirements of the application. I say this because even if the complete
checklist exists, you are STILL not guaranteed to get the application to
work. So, such a list is quite useless from a .Net perspective.
This is because an application's permissions is something that a developer
designs into the application -- not you retroactively trying to infer the
design.
In looking at your other thread, the Application Pool reporting 0xFFFFFFFF
as the error code indicates that the worker process failed to load -- likely
.Net failing to start due to some reason -- will have to troubleshoot the
application layer to determine this. Right now, it is the application
failing to start due to a missing (security) dependency.
Bottom line: it is the application's responsibility to declare extra
privileges that it needs... it is never the server's responsibility to tell
you "hey I'm missing this privilege".
-- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Joe Krings" <krinjp@jea.com> wrote in message news:%23P5T0QWCFHA.1936@TK2MSFTNGP14.phx.gbl... Per MS recommendations, attempting to run IIS6 DefaultAppPool with "Network Service" identity. For the 1st app I've installed on IIS6, that's resulting in "Service Unavailable" error (the server is not a domain controller). Following other docs found on this topic have not resolved the problem. At the moment stuck and looking for an analytical work-around. Now, trying to determine the necessary Identity required (and set up corresponding app pools) based on the characteristics of the .Net code. That is, if an app makes use of certain specific calls, I'll know it can/can't run with the Network Service identity. This link http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/vbconaccesspermissionsforwebapplications.asp makes reference to such a call, System.Diagnostics (see article excerpt under dashed line below). My question is, does a comprehensive list exist of other calls/usages, enumerating things like System.Diagnostics, that can be used a checklist to verify what identity an app is capable of running under - ala "Can this app run under Network Service pool - yes/no"? Thanks. Joe --------------------------------------------------------- There are some resources that you cannot by default access using the default user context, because they require access to resources that need administrative-level privileges. For example, if your application needs to create a new event log category using methods in the System.Diagnostics namespace, it cannot do so if it is running in the context of the ASPNET or NETWORK SERVICE user.
- Next message: Anakin_ch: "IIS Multiple Web Server"
- Previous message: Bernard: "Re: IIS DefaultAppPool Identiy - Service Unavailable"
- In reply to: Joe Krings: "IIS6 Network Service Identity - when needed?"
- Next in thread: Joe: "Re: IIS6 Network Service Identity - when needed?"
- Reply: Joe: "Re: IIS6 Network Service Identity - when needed?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
