Re: Howto refresh IIS 6 Application pool identity credential info

Hi WenJun,

I've tried the 'invalidate' application pool trick I described below, but
that didn't help. I do see an authentication entry for the specified user in
Security Event log, but it seems like it's just reusing the logonsession info
:

Logonsession info before invalidate :

[91] Logon session 00000000:080309d0:
User name: DEV\VtgOUser
Auth package: Kerberos
Logon type: Batch
Session: 0
Sid: S-1-5-21-1275210071-688789844-725345543-3948
Logon time: 13/02/2008 11:12:56
Logon server: DEVDC1
DNS Domain: DEV.DIGANT.ANTWERPEN.LOCAL
UPN:

Logonsession info after invalidate en correct user (entry in Security Event
log)

[95] Logon session 00000000:080309d0:
User name: DEV\VtgOUser
Auth package: Kerberos
Logon type: Batch
Session: 0
Sid: S-1-5-21-1275210071-688789844-725345543-3948
Logon time: 13/02/2008 11:12:56
Logon server: DEVDC1
DNS Domain: DEV.DIGANT.ANTWERPEN.LOCAL
UPN:

--> nothing changed : same logon session id, same logon time, ...

Logonsession info after IISRESET :

[50] Logon session 00000000:08153dc4:
User name: DEV\VtgOUser
Auth package: Kerberos
Logon type: Batch
Session: 0
Sid: S-1-5-21-1275210071-688789844-725345543-3948
Logon time: 13/02/2008 11:47:58
Logon server: DEVDC1
DNS Domain: DEV.DIGANT.ANTWERPEN.LOCAL
UPN:


--> NEW logon session ID, new logon-time --> all working fine.


So I think I need something like IISRESET but only for a specific
Application pool/User. Any ideas ?


Greetings,

Peter

"Peke" wrote:

Hello WenJun,

Sorry for the delay.
Thx for enlightning the working of security in IIS 6.

I will try the following :
stop the application pool, change the password of the application pool
identity to an invalid value, start the application pool, make a request -->
app pool will get disabled, change the password of the application pool
identity to a its original (valid) value, start the application pool, make a
request.

Will this solve the problem ?
Or is there another way to do something like IISRESET but just for one
application pool (or account) ?


About the domain user account as an application pool identity.

I know that using domain accounts is a problem. That's why we disabled the
Kerberos Authentication (changed Negotiate to NTLM).

I'll try to explain the reason why we are using domain accounts for the
application identity. Our applications (.NET) are build using a multilayered
architecture : UI, WebService, BusinessFacade, BusinesRules, DataAccess,...
(Some newer applications use the new layers as proposed in Service Software
Factory (codeplex), but still the ASMX version). The applications have
application security based on roles and privileges (custom made) (comparable
to AzMan, which didn't exist at that time). Wat we are trying to achief is to
have a 'simple' centralized security management model. We check the security
(priviliges) in the 'business' part and we access the data store (DB, File
System, other WS, ...) with the identity of the application pool (= owner of
the W3WP.exe process) using Integrated Security. In other words : No EndUsers
have to be managed to secure the data store(s) and we're using integrated
security (which is safe) to access the data store. Only Administrators
know/have access to the password of the application pool identity.

Is there a better way to achieve the same ? (and solve the setspn stuff)
(perhaps .NET impersonation, but we don't want any credential info in the
config file).

Kind regards,

Peter






""WenJun Zhang[msft]"" wrote:

Hi Peter,

What you detected should be an expected behavior. Have you also tried
access any resources on the web site after changing application pool's
identity and restarting/recycling the pool? If so, you should see a logon
event with the changed credential when the new http request is arriving.
The fact is:

After we change a pool's identity, the custom user account's username and
password is simply encrypted and saved by IIS without any validation or
logon attempts. That's why you don't see the credential change immediately.
As soon as a new request to the corresponding web site which the AppPool
needs to serve comes in, IIS W3SVC service will then start up a new worker
process(w3wp.exe - can be viewed in task manager or process explorer, etc)
with the new identity. You should see the expected logon attemps at that
time.

The difference of IISRESET here is when we restart the whole IIS services,
the startup process will try to test logon all the identity accounts to
check if all the username and password are valid. If not, IIS will disable
that pool.

Furthermore, a main problem of using custom domain account as application
pool identity is we must manually setup SPN for Kerberos to work for
Integrated Windows authentication. Also only one SPN(of the domain account)
can be set for HTTP service on the server. Otherwise, you will need to use
NTLM.

871179 You receive an "HTTP Error 401.1 - Unauthorized: Access is denied
due to invalid credentials" error message when you try to access a Web site
that is part of an IIS 6.0 application pool
http://support.microsoft.com/default.aspx?scid=kb;EN-US;871179

I hope the above information helps. Please update here if you have any
further question.

Have a nice week.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.


.

Relevant Pages

  • Re: Howto refresh IIS 6 Application pool identity credential info
    ... previledge (NETWORK_SERVICE or a simple domain account). ... The Pool identity is the one accessing the backend resources like ... IIS is being consistent with security while what you are doing is not ... identity changes group membership to have Group1 and accesses data. ...
    (microsoft.public.inetserver.iis.security)
  • RE: [fw-wiz] Re: Ethics, morality, and mental retardation
    ... decides to join the pool and start peeing in it - either ... But, if you go that route, suddenly society ... ask security professionals about their "hacker pasts" is ... That's money I was supposed to make!" ...
    (Firewall-Wizards)
  • Re: Howto refresh IIS 6 Application pool identity credential info
    ... Thx for enlightning the working of security in IIS 6. ... stop the application pool, change the password of the application pool ... I know that using domain accounts is a problem. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Correcting slow performance (Yes SBS Rocks!)
    ... Apparently there is a lot of security ... > negotiation between server and client that I wasn't looking for. ... Hi Paul, ... Each web has its application pool and your sites are ...
    (microsoft.public.windows.server.sbs)
  • Re: Minimum Privileges
    ... To run a web service in its own security credentials the system needs to run ... in a specific application pool with a new identity for the access needed. ... In IIS Manager, expand the local computer, right-click Application Pools, ... To change the account under which an application pool runs using IIS Manager ...
    (microsoft.public.win2000.active_directory)