By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,961 Members | 1,333 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,961 IT Pros & Developers. It's quick & easy.

App pool identity

P: n/a
I want to run a web-service under a custom (least required priveleged, but
with /some/ access) account -but all I get is service unavailable;

I have
* Created a new account
* Enabled logon as a service
* Added to the IIS_WPG group
* Ensured account has access to the relevant file system (read, list,
execute)
* Configured the app-pool to use the account

This doesn't fix it; even adding to the local administrators group doesn't
help! However, running as the local administrator account *does* work.

So! Any idea what step I have missed?

Marc
Mar 24 '06 #1
Share this Question
Share on Google+
3 Replies


P: n/a
I don't really know what the problem is at your end. But the general practice
is to use either Anonymous Access or Windows Authentication to a web service.

In your case, you are trying to use a different account because you want to
restrict that account to some files you're accessing on the file system. For
that, in the code that does the file system interaction, impersonate the user
account you created and use that account while reading/accessing the files.

That way, client to WS access remains with the IIS defaults and WS to file
access is controlled by the rights you have defined.

That might be a design you want to consider - relatively simpler to
configure and even more simpler to maintain if you wanted to move servers,
etc.

Regards,
Pandurang

--
blog: www.thinkingMS.com/pandurang
"Marc Gravell" wrote:
I want to run a web-service under a custom (least required priveleged, but
with /some/ access) account -but all I get is service unavailable;

I have
* Created a new account
* Enabled logon as a service
* Added to the IIS_WPG group
* Ensured account has access to the relevant file system (read, list,
execute)
* Configured the app-pool to use the account

This doesn't fix it; even adding to the local administrators group doesn't
help! However, running as the local administrator account *does* work.

So! Any idea what step I have missed?

Marc

Mar 24 '06 #2

P: n/a
Thank you for the input;
In your case, you are trying to use a different account because you want
to
restrict that account to some files you're accessing on the file system Actually, no we aren't; this is nothing to do with access to files (although
we are using the identity to provide access to the database, but that's a
few steps past the "Service Unavailable" failure).

All we are doing here is assigning identity to the app-pool to achieve a:
true application-isolation, b: allow for trusted access to the database, and
c: move the credentials outside of the visibility of the web application
(specifically, outside of web.config; even encrypted, the details are
transparent to anything inside the application).

Note that this should (by all accounts) work just fine; it has worked on
every server we have tried, and now it is failing as we attempt to implement
on the live system (d'oh!). Obviously something is breaking it, but we don't
know what (yet); a vanilla install with all patches, changes etc works fine.

Marc

"Pandurang Nayak" <pandurangATthinkingmsDOT(nospam)com> wrote in message
news:25**********************************@microsof t.com...I don't really know what the problem is at your end. But the general
practice
is to use either Anonymous Access or Windows Authentication to a web
service.

In your case, you are trying to use a different account because you want
to
restrict that account to some files you're accessing on the file system.
For
that, in the code that does the file system interaction, impersonate the
user
account you created and use that account while reading/accessing the
files.

That way, client to WS access remains with the IIS defaults and WS to file
access is controlled by the rights you have defined.

That might be a design you want to consider - relatively simpler to
configure and even more simpler to maintain if you wanted to move servers,
etc.

Regards,
Pandurang

--
blog: www.thinkingMS.com/pandurang
"Marc Gravell" wrote:
I want to run a web-service under a custom (least required priveleged,
but
with /some/ access) account -but all I get is service unavailable;

I have
* Created a new account
* Enabled logon as a service
* Added to the IIS_WPG group
* Ensured account has access to the relevant file system (read, list,
execute)
* Configured the app-pool to use the account

This doesn't fix it; even adding to the local administrators group
doesn't
help! However, running as the local administrator account *does* work.

So! Any idea what step I have missed?

Marc

Mar 27 '06 #3

P: n/a
For reference, I have found the answer to this... you simply [sic] uninstall
and reinstall IIS on each and every server... ;-/

Marc

"Marc Gravell" <ma**@nonesuch.com> wrote in message
news:eB**************@TK2MSFTNGP12.phx.gbl...
I want to run a web-service under a custom (least required priveleged, but
with /some/ access) account -but all I get is service unavailable;

I have
* Created a new account
* Enabled logon as a service
* Added to the IIS_WPG group
* Ensured account has access to the relevant file system (read, list,
execute)
* Configured the app-pool to use the account

This doesn't fix it; even adding to the local administrators group doesn't
help! However, running as the local administrator account *does* work.

So! Any idea what step I have missed?

Marc

Mar 27 '06 #4

This discussion thread is closed

Replies have been disabled for this discussion.