401 if AppPool is not Network Service

Discussion in 'ASP .Net Security' started by redcrystal@msn.com, Mar 23, 2006.

  1. Guest

    My setup:
    Windows 2003 Servers, IIS 6.0. There have almost certainly been
    adjustments to the configuration performed by the IT group that
    provisions these, but I don't have complete details on what they did.
    Visual Studio 2003, .NET 1.1.

    I created two web services, Ping and PingAuth. I put both applications
    into the same App Pool, named PingPool. In IIS, I allow anonymous users
    to access Ping, but only Integrated Windows authentication allowed to

    In both Ping and PingAuth's web.config files, I set:
    <authentication mode="Windows" />
    <authorization><allow users="*" /></authorization>
    <identity impersonate="false" />

    (I know that impersonation defaults to false, but just so you can see

    I am in the Administrators group on the IIS 6 box.

    Here's the scenario. If I use IIS 6 to set the identity for the
    application pool (PingPool) to a domain account (a faceless service
    account, in my test), then, even if I do not access any other resources
    (not even on the same box), I get a 401 error on the PingAuth service,
    even when I just try to open the project in Visual Studio or browse to
    the Service1.asmx page. IE will present a login dialog, but even if I
    supply my proper credentials, it will not log me in. Similarly, a web
    service client proxy fails to access the web service. I do not get a
    401 error on the anonymous-enabled project, Ping.

    However, if I reset the PingPool application pool's identity to Network
    Service, and then change the web.config files for both Ping and
    PingAuth to impersonate the service account, everything runs
    beautifully. Only authenticated users are allowed in, and I can
    identify them properly using Context.User or Thread.CurrentPrincipal,
    while WindowsIdentity.GetCurrent() identifies the impersonated service

    Is there a Windows 2003 privilege that I need to set for the service
    account so that I can set it to be the identity of the application
    pool? I'd rather not have the password for the service account hanging
    around in the web.config file, nor stored in the source code, and I'm
    too lazy to mess with storing it securely in web.config or in code,
    when just setting the application pool identity should work.

    , Mar 23, 2006
    1. Advertisements

  2. AlanM

    AlanM Guest

    One more thing: The service account IS in the IIS_WPG group.
    AlanM, Mar 23, 2006
    1. Advertisements

  3. AlanM

    AlanM Guest

    Other things I've checked:
    The service account DOES have the "Log on as a service" privilege (in
    Local Security Settings > User Rights Assignment)
    The IIS_WPG group DOES have the "Impersonate a client after
    authentication" privilege.
    AlanM, Mar 23, 2006
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?UGlnZ2xldDE4Nw==?=

    AppPool Recycle Failure

    =?Utf-8?B?UGlnZ2xldDE4Nw==?=, Jun 8, 2004, in forum: ASP .Net
    Natty Gur
    Jun 9, 2004
  2. Adam Clark

    ASPDOTNET AppPool Crashing

    Adam Clark, Oct 27, 2005, in forum: ASP .Net
    Alvin Bruney - ASP.NET MVP
    Oct 27, 2005
  3. Ben Dewey

    MS Powerpoint AppPool Identity

    Ben Dewey, May 11, 2006, in forum: ASP .Net
    May 12, 2006
  4. Kevin C
    Hernan de Lahitte
    Nov 19, 2004
  5. Navin Mishra

    Monitor IIS AppPool from ASP.NET web service

    Navin Mishra, Jul 28, 2005, in forum: ASP .Net Web Services
    Navin Mishra
    Aug 6, 2005

Share This Page