Re: Howto refresh IIS 6 Application pool identity credential info

Can you explain why you want to dynamically change the security
permissions on the Application Pool Identity user?

The reason why SetSPN is failing is the same sort of logic behind why
you cannot dynamically change the security permissions on the
Application Pool Identity.

Imagine this scenario -- you have a web garden with lazy read (i.e.
don't recycle on config change) enabled, and you change permissions on
Application Pool Identity. *IF* things changed immediately, you end up
with w3wp.exe each with different security permissions and further
security implications.

Or in your scenario, what happens if two users which required
different permissions on the Application Pool Identity try to use the
same application served by the same application pool. The w3wp.exe can
only have one process identity, so one of those two users must wait
until the other is done -- not a good user experience.

Basically, we did not design for Process Identity changing on the fly
like that - we designed for thread impersonation to be changing on the
fly like that. The Process Identity is the base unit of isolation.
Impersonation is the base unit of functionality.

Is there anything that prevents you from using a single domain account
as Application Pool identity, and you dynamically impersonate
(depending on your application framework layer, this may be easy).
Because when you do that, SetSPN will also work against your single
fixed Application Pool identity, and I believe impersonation flows
outward on your next hop to the DB, FileSystem, etc.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Feb 25, 11:28 pm, Peke <p...@xxxxxxxxxxxxx> wrote:
Hello WenJun,

Thx for all the information.

Kind regards,

Peter



""WenJun Zhang[msft]"" wrote:
Hi Peter,

Definitely this has been out of the scope of IIS newsgroup.. Probably it
has something to do with the WM_QUERYENDSESSION and WM_ENDSESSION Windows
messages. You may take a look at:

Logging Off
http://msdn2.microsoft.com/en-us/library/aa376876(VS.85).aspx

Have a nice week.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.asp...
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.- Hide quoted text -

- Show quoted text -

.

Relevant Pages

  • Re: HWS - Cant browse HwsService.asmx
    ... I somewhat overlooked that you were using IIS 6 AppPools and assumed IIS 5 on XP - sorry about that.. ... The application pool identity should be the service user you selected for BizTalk HWS access when BizTalk was configured. ... You are right about your finding - the aspnet user may not have the read permissions it needs for the registry key. ...
    (microsoft.public.biztalk.general)
  • Re: Howto refresh IIS 6 Application pool identity credential info
    ... IIS is configured to use 'Integrated Security'. ... Application pool identity password is not available in code (and can't be ... permissions on the Application Pool Identity user? ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.inetserver.iis.security)
  • Exchange 2007: "Send As" [Anyone]
    ... I have an IIS 7.0 web server which sends mail on behalf of registered users ... Connector and, in turn, enabling the "Anonymous users" Permissions Group. ... the websites' application pool identity) to send as anyone - like a ... enabled and required and the websites can continue to use the default port 25 ...
    (microsoft.public.exchange.admin)
  • Re: Howto refresh IIS 6 Application pool identity credential info
    ... Only account A has access to database DB-A ... Application A and Application B have an application security based on Active ... The Pool identity is the one accessing the backend resources like ... We are 'investigating' the impersonation alternative. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Howto refresh IIS 6 Application pool identity credential info
    ... IIS is being consistent with security while what you are doing is not ... identity changes group membership to have Group1 and accesses data. ... Thus, to be secure, the process identity must be in ... IIS never allowed such behavior in Application Pool Identity (let's ...
    (microsoft.public.inetserver.iis.security)