Security issues with Win2003 and ASPNet app

[RichardF]

I have an ASP.NET Web Service and Web Site. It accesses a SQL
database for its data and retrieves images from another server.

There are 4 servers all running Win 2003 as follows...

1 - Domain Controller
2 - SQL Server
3 - IIS Server (runs Web Service and Web Site)
4 - File Server (stores all the image files)

I am having lots of issues with permissions because my Web Service is
running as a user under a LOCAL group IIS_WPG on the IIS Server and I
don't know how to give it the necessary permissions to access the SQL
Server and the Images on different machines.

I think what I need to do is create a Domain Account, give it the
appropriate permissions and then somehow get my Web Service to run
using that user account. I did try this using 'impersonate' but then
it appeared i didn't have permission to tun ASP.NET stuff!

Can anyone give me tips on how to accomplish this, or point me to a
resource that explains how I can accomplish this.

Thanks for any help

RichardF

 

[Dominick Baier [DevelopMentor]]

Hello RichardF,

you can configure the identity of your web service using the Application
Pool feature of IIS6.

Add a new AppPool - give it an identity (local or domain) - and add the web
service application to the AppPool (WebApp properties)

Add the account to IIS_WPG and give it access to \windows\microsoft.net\framework\v\temporary
asp.net files\ and \windows\temp

HTH

 

[RichardF]

Thanks for the help, I will give that a go. (Assuming I can figure
out how to add a App Pool!)

Once I do this, how do I then configure permssions on the SQL server
and Image server machines?

RichardF

 

[Dominick Baier [DevelopMentor]]

Hello RichardF,

if you are using a domain account - just give access to sql server for this
account / ntfs acls for your file server
if you are using a local account - recreate that account with same name/password
on the target machines and proceed as described (not the recommended solution
- you have to keep all those passwords in sync a.s.o.)

 

[RichardF]

After installing my web service and web site, they had already been
added to a default App Pool.

I right clicked the app pool, went to the identity tab and changed it
to use the domain user account I have created.

Then I added that domain user account to the IIS_WPG group.

When I try to access the web site/service from IE on another machine I
see my initial logon page but after entering a username/password IE
displays a Service Unavailable message.

Before I made the changes above, I would get an error indicating that
SQL had denied me access.

Did I miss something?

RichardF

 

[RichardF]

Actually it appears I now get Service Unavailable whenever I try to
access IIS on that machine, even the default root website.

 

[Dominick Baier [DevelopMentor]]

Hello RichardF,

check the event log! that's most of the time a password typo.

but the system log will give you more info.

otherwise change the default apppool back to network service - and try adding
a new migrating gradually your web apps to this new pool.

HTH

 

[RichardF]

The event log says that the identity of my app pool is invalid.

I created a domain account on the domain server.

On the SQL Server I gave that account the appropriate permissions.

On the IIS Server I set the identity of the app pool to use that
account.

What did I do wrong this time!!!

RichardF

(P.S. Thanks for the help so far - I am learning more that I thought I
wanted to!)

Hello RichardF,

check the event log! that's most of the time a password typo.

but the system log will give you more info.

otherwise change the default apppool back to network service - and try adding
a new migrating gradually your web apps to this new pool.

HTH

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Actually it appears I now get Service Unavailable whenever I try to
access IIS on that machine, even the default root website.

After installing my web service and web site, they had already been
added to a default App Pool.

I right clicked the app pool, went to the identity tab and changed it
to use the domain user account I have created.

Then I added that domain user account to the IIS_WPG group.

When I try to access the web site/service from IE on another machine
I see my initial logon page but after entering a username/password IE
displays a Service Unavailable message.

Before I made the changes above, I would get an error indicating that
SQL had denied me access.

Did I miss something?

RichardF

On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]

Hello RichardF,

you can configure the identity of your web service using the
Application Pool feature of IIS6.

Add a new AppPool - give it an identity (local or domain) - and add
the web service application to the AppPool (WebApp properties)

Add the account to IIS_WPG and give it access to
\windows\microsoft.net\framework\v\temporary asp.net files\ and
\windows\temp

HTH

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
I have an ASP.NET Web Service and Web Site. It accesses a SQL
database for its data and retrieves images from another server.

There are 4 servers all running Win 2003 as follows...

1 - Domain Controller
2 - SQL Server
3 - IIS Server (runs Web Service and Web Site)
4 - File Server (stores all the image files)
I am having lots of issues with permissions because my Web Service
is
running as a user under a LOCAL group IIS_WPG on the IIS Server and
I
don't know how to give it the necessary permissions to access the
SQL
Server and the Images on different machines.
I think what I need to do is create a Domain Account, give it the
appropriate permissions and then somehow get my Web Service to run
using that user account. I did try this using 'impersonate' but
then it appeared i didn't have permission to tun ASP.NET stuff!

Can anyone give me tips on how to accomplish this, or point me to a
resource that explains how I can accomplish this.

Thanks for any help

RichardF

 

[Joe Kaplan \(MVP - ADSI\)]

Did you try logging in to the server with that domain account to be sure
that you have the credentials right and it can log on locally?

Joe K.

The event log says that the identity of my app pool is invalid.

I created a domain account on the domain server.

On the SQL Server I gave that account the appropriate permissions.

On the IIS Server I set the identity of the app pool to use that
account.

What did I do wrong this time!!!

RichardF

(P.S. Thanks for the help so far - I am learning more that I thought I
wanted to!)

Hello RichardF,

check the event log! that's most of the time a password typo.

but the system log will give you more info.

otherwise change the default apppool back to network service - and try
adding
a new migrating gradually your web apps to this new pool.

HTH

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Actually it appears I now get Service Unavailable whenever I try to
access IIS on that machine, even the default root website.

After installing my web service and web site, they had already been
added to a default App Pool.

I right clicked the app pool, went to the identity tab and changed it
to use the domain user account I have created.

Then I added that domain user account to the IIS_WPG group.

When I try to access the web site/service from IE on another machine
I see my initial logon page but after entering a username/password IE
displays a Service Unavailable message.

Before I made the changes above, I would get an error indicating that
SQL had denied me access.

Did I miss something?

RichardF

On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]

Hello RichardF,

you can configure the identity of your web service using the
Application Pool feature of IIS6.

Add a new AppPool - give it an identity (local or domain) - and add
the web service application to the AppPool (WebApp properties)

Add the account to IIS_WPG and give it access to
\windows\microsoft.net\framework\v\temporary asp.net files\ and
\windows\temp

HTH

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
I have an ASP.NET Web Service and Web Site. It accesses a SQL
database for its data and retrieves images from another server.

There are 4 servers all running Win 2003 as follows...

1 - Domain Controller
2 - SQL Server
3 - IIS Server (runs Web Service and Web Site)
4 - File Server (stores all the image files)
I am having lots of issues with permissions because my Web Service
is
running as a user under a LOCAL group IIS_WPG on the IIS Server and
I
don't know how to give it the necessary permissions to access the
SQL
Server and the Images on different machines.
I think what I need to do is create a Domain Account, give it the
appropriate permissions and then somehow get my Web Service to run
using that user account. I did try this using 'impersonate' but
then it appeared i didn't have permission to tun ASP.NET stuff!

Can anyone give me tips on how to accomplish this, or point me to a
resource that explains how I can accomplish this.

Thanks for any help

RichardF

 

[Dominick Baier [DevelopMentor]]

Hello Joe,

and have you cleared "has to change password on first login" ??

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Did you try logging in to the server with that domain account to be
sure that you have the credentials right and it can log on locally?

Joe K.

The event log says that the identity of my app pool is invalid.

I created a domain account on the domain server.

On the SQL Server I gave that account the appropriate permissions.

On the IIS Server I set the identity of the app pool to use that
account.

What did I do wrong this time!!!

RichardF

(P.S. Thanks for the help so far - I am learning more that I thought
I wanted to!)

Hello RichardF,

check the event log! that's most of the time a password typo.

but the system log will give you more info.

otherwise change the default apppool back to network service - and
try
adding
a new migrating gradually your web apps to this new pool.
HTH

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Actually it appears I now get Service Unavailable whenever I try to
access IIS on that machine, even the default root website.

After installing my web service and web site, they had already
been added to a default App Pool.

I right clicked the app pool, went to the identity tab and changed
it to use the domain user account I have created.

Then I added that domain user account to the IIS_WPG group.

When I try to access the web site/service from IE on another
machine I see my initial logon page but after entering a
username/password IE displays a Service Unavailable message.

Before I made the changes above, I would get an error indicating
that SQL had denied me access.

Did I miss something?

RichardF

On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]

Hello RichardF,

you can configure the identity of your web service using the
Application Pool feature of IIS6.

Add a new AppPool - give it an identity (local or domain) - and
add the web service application to the AppPool (WebApp
properties)

Add the account to IIS_WPG and give it access to
\windows\microsoft.net\framework\v\temporary asp.net files\ and
\windows\temp

HTH

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
I have an ASP.NET Web Service and Web Site. It accesses a SQL
database for its data and retrieves images from another server.

There are 4 servers all running Win 2003 as follows...

1 - Domain Controller
2 - SQL Server
3 - IIS Server (runs Web Service and Web Site)
4 - File Server (stores all the image files)
I am having lots of issues with permissions because my Web
Service
is
running as a user under a LOCAL group IIS_WPG on the IIS Server
and
I
don't know how to give it the necessary permissions to access
the
SQL
Server and the Images on different machines.
I think what I need to do is create a Domain Account, give it
the
appropriate permissions and then somehow get my Web Service to
run
using that user account. I did try this using 'impersonate' but
then it appeared i didn't have permission to tun ASP.NET stuff!
Can anyone give me tips on how to accomplish this, or point me
to a resource that explains how I can accomplish this.

Thanks for any help

RichardF

 

[RichardF]

Logging in works OK, the user and password are OK, but I think I
messed up the password before.

I made sure it is OK now.

So, my web service and web site are in their own app group. It's
identity is set to the domain user.

Now, when I try to access the web site from the IIS machine (where it
is hosted) I get a message saying "File or assembly name XXX.dll, or
one of its dependencies, was not found"

Each time i refresh the page the name XXX.dll changes.

Help!

RichardF

Hello Joe,

and have you cleared "has to change password on first login" ??

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Did you try logging in to the server with that domain account to be
sure that you have the credentials right and it can log on locally?

Joe K.

The event log says that the identity of my app pool is invalid.

I created a domain account on the domain server.

On the SQL Server I gave that account the appropriate permissions.

On the IIS Server I set the identity of the app pool to use that
account.

What did I do wrong this time!!!

RichardF

(P.S. Thanks for the help so far - I am learning more that I thought
I wanted to!)

On Thu, 28 Apr 2005 12:23:14 -0700, Dominick Baier [DevelopMentor]

Hello RichardF,

check the event log! that's most of the time a password typo.

but the system log will give you more info.

otherwise change the default apppool back to network service - and
try
adding
a new migrating gradually your web apps to this new pool.
HTH

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Actually it appears I now get Service Unavailable whenever I try to
access IIS on that machine, even the default root website.

After installing my web service and web site, they had already
been added to a default App Pool.

I right clicked the app pool, went to the identity tab and changed
it to use the domain user account I have created.

Then I added that domain user account to the IIS_WPG group.

When I try to access the web site/service from IE on another
machine I see my initial logon page but after entering a
username/password IE displays a Service Unavailable message.

Before I made the changes above, I would get an error indicating
that SQL had denied me access.

Did I miss something?

RichardF

On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]

Hello RichardF,

you can configure the identity of your web service using the
Application Pool feature of IIS6.

Add a new AppPool - give it an identity (local or domain) - and
add the web service application to the AppPool (WebApp
properties)

Add the account to IIS_WPG and give it access to
\windows\microsoft.net\framework\v\temporary asp.net files\ and
\windows\temp

HTH

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
I have an ASP.NET Web Service and Web Site. It accesses a SQL
database for its data and retrieves images from another server.

There are 4 servers all running Win 2003 as follows...

1 - Domain Controller
2 - SQL Server
3 - IIS Server (runs Web Service and Web Site)
4 - File Server (stores all the image files)
I am having lots of issues with permissions because my Web
Service
is
running as a user under a LOCAL group IIS_WPG on the IIS Server
and
I
don't know how to give it the necessary permissions to access
the
SQL
Server and the Images on different machines.
I think what I need to do is create a Domain Account, give it
the
appropriate permissions and then somehow get my Web Service to
run
using that user account. I did try this using 'impersonate' but
then it appeared i didn't have permission to tun ASP.NET stuff!
Can anyone give me tips on how to accomplish this, or point me
to a resource that explains how I can accomplish this.

Thanks for any help

RichardF

 

[Dominick Baier [DevelopMentor]]

Hello RichardF,

make sure the account your worker process runs under hat full control to

\windows\micrsosoft.net\framework\v1.x\tempory asp.net files
\windows\temp

the account is in the IIS_WPG group?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Logging in works OK, the user and password are OK, but I think I
messed up the password before.

I made sure it is OK now.

So, my web service and web site are in their own app group. It's
identity is set to the domain user.

Now, when I try to access the web site from the IIS machine (where it
is hosted) I get a message saying "File or assembly name XXX.dll, or
one of its dependencies, was not found"

Each time i refresh the page the name XXX.dll changes.

Help!

RichardF

Hello Joe,

and have you cleared "has to change password on first login" ??

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Did you try logging in to the server with that domain account to be
sure that you have the credentials right and it can log on locally?

Joe K.

The event log says that the identity of my app pool is invalid.

I created a domain account on the domain server.

On the SQL Server I gave that account the appropriate permissions.

On the IIS Server I set the identity of the app pool to use that
account.

What did I do wrong this time!!!

RichardF

(P.S. Thanks for the help so far - I am learning more that I
thought I wanted to!)

On Thu, 28 Apr 2005 12:23:14 -0700, Dominick Baier [DevelopMentor]

Hello RichardF,

check the event log! that's most of the time a password typo.

but the system log will give you more info.

otherwise change the default apppool back to network service - and
try
adding
a new migrating gradually your web apps to this new pool.
HTH
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Actually it appears I now get Service Unavailable whenever I try
to access IIS on that machine, even the default root website.

After installing my web service and web site, they had already
been added to a default App Pool.

I right clicked the app pool, went to the identity tab and
changed it to use the domain user account I have created.

Then I added that domain user account to the IIS_WPG group.

When I try to access the web site/service from IE on another
machine I see my initial logon page but after entering a
username/password IE displays a Service Unavailable message.

Before I made the changes above, I would get an error indicating
that SQL had denied me access.

Did I miss something?

RichardF

On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier

Hello RichardF,

you can configure the identity of your web service using the
Application Pool feature of IIS6.

Add a new AppPool - give it an identity (local or domain) - and
add the web service application to the AppPool (WebApp
properties)

Add the account to IIS_WPG and give it access to
\windows\microsoft.net\framework\v\temporary asp.net files\ and
\windows\temp

HTH

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
I have an ASP.NET Web Service and Web Site. It accesses a
SQL database for its data and retrieves images from another
server.

There are 4 servers all running Win 2003 as follows...

1 - Domain Controller
2 - SQL Server
3 - IIS Server (runs Web Service and Web Site)
4 - File Server (stores all the image files)
I am having lots of issues with permissions because my Web
Service
is
running as a user under a LOCAL group IIS_WPG on the IIS
Server
and
I
don't know how to give it the necessary permissions to access
the
SQL
Server and the Images on different machines.
I think what I need to do is create a Domain Account, give it
the
appropriate permissions and then somehow get my Web Service to
run
using that user account. I did try this using 'impersonate'
but
then it appeared i didn't have permission to tun ASP.NET
stuff!
Can anyone give me tips on how to accomplish this, or point me
to a resource that explains how I can accomplish this.
Thanks for any help

RichardF