Re: Howto refresh IIS 6 Application pool identity credential info
- From: Peke <peke@xxxxxxxxxxxxx>
- Date: Tue, 4 Mar 2008 23:08:01 -0800
Hello David,
Sorry for the delay.
I'll try to explain how our applications work.
We develop .NET application using multitier-layer (UI, Webservice, ...).
We've build our own application security, comparable to AzMan, which wasn't
available at that time (Windows 2000 Active Directory) ; it is based on roles
and privileges.
IIS (6) is configured to use 'Integrated Security'.
Basically : users are put in a group (or removed from if they no longer need
access) that has Read rights on the filesystem where the IIS virtual
directory (or IIS virtual server) is pointing to.
The user's privileges are checked in the business part (Business Facade),
and from that point de application pool identity (a domain user) is used to
access the data store(s).
That 'data store' can also be another WebService (Service Agent).
--> this is where the problem is : the application pool identity is becoming
a member of another group to get access to the other application. But the
security context is only 'refreshed' after IISRESET.
A few reasons why we do it that way :
- Easy security maintenance on the data store (only the application pool
account needs the necessary rights).
- A developer doesn't have to do anything special in code.
- Application pool identity password is not available in code (and can't be
mis-used; if we would use impersonation -using config file or in code - then
the password would be available).
I hope this makes any sense.
Do you have any suggestions ?
Kind regards,
Peter
P.S. You mentioned something about 'lazy read', no recycle on config change,
how is this done ?
"David Wang" wrote:
Can you explain why you want to dynamically change the security.
permissions on the Application Pool Identity user?
The reason why SetSPN is failing is the same sort of logic behind why
you cannot dynamically change the security permissions on the
Application Pool Identity.
Imagine this scenario -- you have a web garden with lazy read (i.e.
don't recycle on config change) enabled, and you change permissions on
Application Pool Identity. *IF* things changed immediately, you end up
with w3wp.exe each with different security permissions and further
security implications.
Or in your scenario, what happens if two users which required
different permissions on the Application Pool Identity try to use the
same application served by the same application pool. The w3wp.exe can
only have one process identity, so one of those two users must wait
until the other is done -- not a good user experience.
Basically, we did not design for Process Identity changing on the fly
like that - we designed for thread impersonation to be changing on the
fly like that. The Process Identity is the base unit of isolation.
Impersonation is the base unit of functionality.
Is there anything that prevents you from using a single domain account
as Application Pool identity, and you dynamically impersonate
(depending on your application framework layer, this may be easy).
Because when you do that, SetSPN will also work against your single
fixed Application Pool identity, and I believe impersonation flows
outward on your next hop to the DB, FileSystem, etc.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Feb 25, 11:28 pm, Peke <p...@xxxxxxxxxxxxx> wrote:
Hello WenJun,
Thx for all the information.
Kind regards,
Peter
""WenJun Zhang[msft]"" wrote:
Hi Peter,
Definitely this has been out of the scope of IIS newsgroup.. Probably it
has something to do with the WM_QUERYENDSESSION and WM_ENDSESSION Windows
messages. You may take a look at:
Logging Off
http://msdn2.microsoft.com/en-us/library/aa376876(VS.85).aspx
Have a nice week.
Sincerely,
WenJun Zhang
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.asp...
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.- Hide quoted text -
- Show quoted text -
- Follow-Ups:
- Re: Howto refresh IIS 6 Application pool identity credential info
- From: David Wang
- Re: Howto refresh IIS 6 Application pool identity credential info
- Prev by Date: Server certificate - CSR generation
- Next by Date: Re: Programmatically assign certificate on IIS server
- Previous by thread: Server certificate - CSR generation
- Next by thread: Re: Howto refresh IIS 6 Application pool identity credential info
- Index(es):
Relevant Pages
|
