Security issues with Win2003 and ASPNet app

Discussion in 'ASP .Net Security' started by RichardF, Apr 28, 2005.

  1. RichardF

    RichardF Guest

    I have an ASP.NET Web Service and Web Site. It accesses a SQL
    database for its data and retrieves images from another server.

    There are 4 servers all running Win 2003 as follows...

    1 - Domain Controller
    2 - SQL Server
    3 - IIS Server (runs Web Service and Web Site)
    4 - File Server (stores all the image files)

    I am having lots of issues with permissions because my Web Service is
    running as a user under a LOCAL group IIS_WPG on the IIS Server and I
    don't know how to give it the necessary permissions to access the SQL
    Server and the Images on different machines.

    I think what I need to do is create a Domain Account, give it the
    appropriate permissions and then somehow get my Web Service to run
    using that user account. I did try this using 'impersonate' but then
    it appeared i didn't have permission to tun ASP.NET stuff!

    Can anyone give me tips on how to accomplish this, or point me to a
    resource that explains how I can accomplish this.

    Thanks for any help

    RichardF
     
    RichardF, Apr 28, 2005
    #1
    1. Advertising

  2. Hello RichardF,

    you can configure the identity of your web service using the Application
    Pool feature of IIS6.

    Add a new AppPool - give it an identity (local or domain) - and add the web
    service application to the AppPool (WebApp properties)

    Add the account to IIS_WPG and give it access to \windows\microsoft.net\framework\v\temporary
    asp.net files\ and \windows\temp

    HTH

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I have an ASP.NET Web Service and Web Site. It accesses a SQL
    > database for its data and retrieves images from another server.
    >
    > There are 4 servers all running Win 2003 as follows...
    >
    > 1 - Domain Controller
    > 2 - SQL Server
    > 3 - IIS Server (runs Web Service and Web Site)
    > 4 - File Server (stores all the image files)
    > I am having lots of issues with permissions because my Web Service is
    > running as a user under a LOCAL group IIS_WPG on the IIS Server and I
    > don't know how to give it the necessary permissions to access the SQL
    > Server and the Images on different machines.
    >
    > I think what I need to do is create a Domain Account, give it the
    > appropriate permissions and then somehow get my Web Service to run
    > using that user account. I did try this using 'impersonate' but then
    > it appeared i didn't have permission to tun ASP.NET stuff!
    >
    > Can anyone give me tips on how to accomplish this, or point me to a
    > resource that explains how I can accomplish this.
    >
    > Thanks for any help
    >
    > RichardF
    >
     
    Dominick Baier [DevelopMentor], Apr 28, 2005
    #2
    1. Advertising

  3. RichardF

    RichardF Guest

    Thanks for the help, I will give that a go. (Assuming I can figure
    out how to add a App Pool!)

    Once I do this, how do I then configure permssions on the SQL server
    and Image server machines?

    RichardF


    On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]
    <> wrote:

    >Hello RichardF,
    >
    >you can configure the identity of your web service using the Application
    >Pool feature of IIS6.
    >
    >Add a new AppPool - give it an identity (local or domain) - and add the web
    >service application to the AppPool (WebApp properties)
    >
    >Add the account to IIS_WPG and give it access to \windows\microsoft.net\framework\v\temporary
    >asp.net files\ and \windows\temp
    >
    >HTH
    >
    >---------------------------------------
    >Dominick Baier - DevelopMentor
    >http://www.leastprivilege.com
    >
    >> I have an ASP.NET Web Service and Web Site. It accesses a SQL
    >> database for its data and retrieves images from another server.
    >>
    >> There are 4 servers all running Win 2003 as follows...
    >>
    >> 1 - Domain Controller
    >> 2 - SQL Server
    >> 3 - IIS Server (runs Web Service and Web Site)
    >> 4 - File Server (stores all the image files)
    >> I am having lots of issues with permissions because my Web Service is
    >> running as a user under a LOCAL group IIS_WPG on the IIS Server and I
    >> don't know how to give it the necessary permissions to access the SQL
    >> Server and the Images on different machines.
    >>
    >> I think what I need to do is create a Domain Account, give it the
    >> appropriate permissions and then somehow get my Web Service to run
    >> using that user account. I did try this using 'impersonate' but then
    >> it appeared i didn't have permission to tun ASP.NET stuff!
    >>
    >> Can anyone give me tips on how to accomplish this, or point me to a
    >> resource that explains how I can accomplish this.
    >>
    >> Thanks for any help
    >>
    >> RichardF
    >>

    >
    >
     
    RichardF, Apr 28, 2005
    #3
  4. Hello RichardF,

    if you are using a domain account - just give access to sql server for this
    account / ntfs acls for your file server
    if you are using a local account - recreate that account with same name/password
    on the target machines and proceed as described (not the recommended solution
    - you have to keep all those passwords in sync a.s.o.)

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Thanks for the help, I will give that a go. (Assuming I can figure
    > out how to add a App Pool!)
    >
    > Once I do this, how do I then configure permssions on the SQL server
    > and Image server machines?
    >
    > RichardF
    >
    > On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]
    > <> wrote:
    >
    >> Hello RichardF,
    >>
    >> you can configure the identity of your web service using the
    >> Application Pool feature of IIS6.
    >>
    >> Add a new AppPool - give it an identity (local or domain) - and add
    >> the web service application to the AppPool (WebApp properties)
    >>
    >> Add the account to IIS_WPG and give it access to
    >> \windows\microsoft.net\framework\v\temporary asp.net files\ and
    >> \windows\temp
    >>
    >> HTH
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> I have an ASP.NET Web Service and Web Site. It accesses a SQL
    >>> database for its data and retrieves images from another server.
    >>>
    >>> There are 4 servers all running Win 2003 as follows...
    >>>
    >>> 1 - Domain Controller
    >>> 2 - SQL Server
    >>> 3 - IIS Server (runs Web Service and Web Site)
    >>> 4 - File Server (stores all the image files)
    >>> I am having lots of issues with permissions because my Web Service
    >>> is
    >>> running as a user under a LOCAL group IIS_WPG on the IIS Server and
    >>> I
    >>> don't know how to give it the necessary permissions to access the
    >>> SQL
    >>> Server and the Images on different machines.
    >>> I think what I need to do is create a Domain Account, give it the
    >>> appropriate permissions and then somehow get my Web Service to run
    >>> using that user account. I did try this using 'impersonate' but
    >>> then it appeared i didn't have permission to tun ASP.NET stuff!
    >>>
    >>> Can anyone give me tips on how to accomplish this, or point me to a
    >>> resource that explains how I can accomplish this.
    >>>
    >>> Thanks for any help
    >>>
    >>> RichardF
    >>>
     
    Dominick Baier [DevelopMentor], Apr 28, 2005
    #4
  5. RichardF

    RichardF Guest

    After installing my web service and web site, they had already been
    added to a default App Pool.

    I right clicked the app pool, went to the identity tab and changed it
    to use the domain user account I have created.

    Then I added that domain user account to the IIS_WPG group.

    When I try to access the web site/service from IE on another machine I
    see my initial logon page but after entering a username/password IE
    displays a Service Unavailable message.

    Before I made the changes above, I would get an error indicating that
    SQL had denied me access.

    Did I miss something?

    RichardF


    On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]
    <> wrote:

    >Hello RichardF,
    >
    >you can configure the identity of your web service using the Application
    >Pool feature of IIS6.
    >
    >Add a new AppPool - give it an identity (local or domain) - and add the web
    >service application to the AppPool (WebApp properties)
    >
    >Add the account to IIS_WPG and give it access to \windows\microsoft.net\framework\v\temporary
    >asp.net files\ and \windows\temp
    >
    >HTH
    >
    >---------------------------------------
    >Dominick Baier - DevelopMentor
    >http://www.leastprivilege.com
    >
    >> I have an ASP.NET Web Service and Web Site. It accesses a SQL
    >> database for its data and retrieves images from another server.
    >>
    >> There are 4 servers all running Win 2003 as follows...
    >>
    >> 1 - Domain Controller
    >> 2 - SQL Server
    >> 3 - IIS Server (runs Web Service and Web Site)
    >> 4 - File Server (stores all the image files)
    >> I am having lots of issues with permissions because my Web Service is
    >> running as a user under a LOCAL group IIS_WPG on the IIS Server and I
    >> don't know how to give it the necessary permissions to access the SQL
    >> Server and the Images on different machines.
    >>
    >> I think what I need to do is create a Domain Account, give it the
    >> appropriate permissions and then somehow get my Web Service to run
    >> using that user account. I did try this using 'impersonate' but then
    >> it appeared i didn't have permission to tun ASP.NET stuff!
    >>
    >> Can anyone give me tips on how to accomplish this, or point me to a
    >> resource that explains how I can accomplish this.
    >>
    >> Thanks for any help
    >>
    >> RichardF
    >>

    >
    >
     
    RichardF, Apr 28, 2005
    #5
  6. RichardF

    RichardF Guest

    Actually it appears I now get Service Unavailable whenever I try to
    access IIS on that machine, even the default root website.



    On Thu, 28 Apr 2005 14:10:53 -0500, RichardF <>
    wrote:

    >After installing my web service and web site, they had already been
    >added to a default App Pool.
    >
    >I right clicked the app pool, went to the identity tab and changed it
    >to use the domain user account I have created.
    >
    >Then I added that domain user account to the IIS_WPG group.
    >
    >When I try to access the web site/service from IE on another machine I
    >see my initial logon page but after entering a username/password IE
    >displays a Service Unavailable message.
    >
    >Before I made the changes above, I would get an error indicating that
    >SQL had denied me access.
    >
    >Did I miss something?
    >
    >RichardF
    >
    >
    >On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]
    ><> wrote:
    >
    >>Hello RichardF,
    >>
    >>you can configure the identity of your web service using the Application
    >>Pool feature of IIS6.
    >>
    >>Add a new AppPool - give it an identity (local or domain) - and add the web
    >>service application to the AppPool (WebApp properties)
    >>
    >>Add the account to IIS_WPG and give it access to \windows\microsoft.net\framework\v\temporary
    >>asp.net files\ and \windows\temp
    >>
    >>HTH
    >>
    >>---------------------------------------
    >>Dominick Baier - DevelopMentor
    >>http://www.leastprivilege.com
    >>
    >>> I have an ASP.NET Web Service and Web Site. It accesses a SQL
    >>> database for its data and retrieves images from another server.
    >>>
    >>> There are 4 servers all running Win 2003 as follows...
    >>>
    >>> 1 - Domain Controller
    >>> 2 - SQL Server
    >>> 3 - IIS Server (runs Web Service and Web Site)
    >>> 4 - File Server (stores all the image files)
    >>> I am having lots of issues with permissions because my Web Service is
    >>> running as a user under a LOCAL group IIS_WPG on the IIS Server and I
    >>> don't know how to give it the necessary permissions to access the SQL
    >>> Server and the Images on different machines.
    >>>
    >>> I think what I need to do is create a Domain Account, give it the
    >>> appropriate permissions and then somehow get my Web Service to run
    >>> using that user account. I did try this using 'impersonate' but then
    >>> it appeared i didn't have permission to tun ASP.NET stuff!
    >>>
    >>> Can anyone give me tips on how to accomplish this, or point me to a
    >>> resource that explains how I can accomplish this.
    >>>
    >>> Thanks for any help
    >>>
    >>> RichardF
    >>>

    >>
    >>
     
    RichardF, Apr 28, 2005
    #6
  7. Hello RichardF,

    check the event log! that's most of the time a password typo.

    but the system log will give you more info.

    otherwise change the default apppool back to network service - and try adding
    a new migrating gradually your web apps to this new pool.

    HTH

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Actually it appears I now get Service Unavailable whenever I try to
    > access IIS on that machine, even the default root website.
    >
    > On Thu, 28 Apr 2005 14:10:53 -0500, RichardF <>
    > wrote:
    >
    >> After installing my web service and web site, they had already been
    >> added to a default App Pool.
    >>
    >> I right clicked the app pool, went to the identity tab and changed it
    >> to use the domain user account I have created.
    >>
    >> Then I added that domain user account to the IIS_WPG group.
    >>
    >> When I try to access the web site/service from IE on another machine
    >> I see my initial logon page but after entering a username/password IE
    >> displays a Service Unavailable message.
    >>
    >> Before I made the changes above, I would get an error indicating that
    >> SQL had denied me access.
    >>
    >> Did I miss something?
    >>
    >> RichardF
    >>
    >> On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]
    >> <> wrote:
    >>
    >>> Hello RichardF,
    >>>
    >>> you can configure the identity of your web service using the
    >>> Application Pool feature of IIS6.
    >>>
    >>> Add a new AppPool - give it an identity (local or domain) - and add
    >>> the web service application to the AppPool (WebApp properties)
    >>>
    >>> Add the account to IIS_WPG and give it access to
    >>> \windows\microsoft.net\framework\v\temporary asp.net files\ and
    >>> \windows\temp
    >>>
    >>> HTH
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> I have an ASP.NET Web Service and Web Site. It accesses a SQL
    >>>> database for its data and retrieves images from another server.
    >>>>
    >>>> There are 4 servers all running Win 2003 as follows...
    >>>>
    >>>> 1 - Domain Controller
    >>>> 2 - SQL Server
    >>>> 3 - IIS Server (runs Web Service and Web Site)
    >>>> 4 - File Server (stores all the image files)
    >>>> I am having lots of issues with permissions because my Web Service
    >>>> is
    >>>> running as a user under a LOCAL group IIS_WPG on the IIS Server and
    >>>> I
    >>>> don't know how to give it the necessary permissions to access the
    >>>> SQL
    >>>> Server and the Images on different machines.
    >>>> I think what I need to do is create a Domain Account, give it the
    >>>> appropriate permissions and then somehow get my Web Service to run
    >>>> using that user account. I did try this using 'impersonate' but
    >>>> then it appeared i didn't have permission to tun ASP.NET stuff!
    >>>>
    >>>> Can anyone give me tips on how to accomplish this, or point me to a
    >>>> resource that explains how I can accomplish this.
    >>>>
    >>>> Thanks for any help
    >>>>
    >>>> RichardF
    >>>>
     
    Dominick Baier [DevelopMentor], Apr 28, 2005
    #7
  8. RichardF

    RichardF Guest

    The event log says that the identity of my app pool is invalid.

    I created a domain account on the domain server.

    On the SQL Server I gave that account the appropriate permissions.

    On the IIS Server I set the identity of the app pool to use that
    account.

    What did I do wrong this time!!!

    RichardF

    (P.S. Thanks for the help so far - I am learning more that I thought I
    wanted to!)


    On Thu, 28 Apr 2005 12:23:14 -0700, Dominick Baier [DevelopMentor]
    <> wrote:

    >Hello RichardF,
    >
    >check the event log! that's most of the time a password typo.
    >
    >but the system log will give you more info.
    >
    >otherwise change the default apppool back to network service - and try adding
    >a new migrating gradually your web apps to this new pool.
    >
    >HTH
    >
    >---------------------------------------
    >Dominick Baier - DevelopMentor
    >http://www.leastprivilege.com
    >
    >> Actually it appears I now get Service Unavailable whenever I try to
    >> access IIS on that machine, even the default root website.
    >>
    >> On Thu, 28 Apr 2005 14:10:53 -0500, RichardF <>
    >> wrote:
    >>
    >>> After installing my web service and web site, they had already been
    >>> added to a default App Pool.
    >>>
    >>> I right clicked the app pool, went to the identity tab and changed it
    >>> to use the domain user account I have created.
    >>>
    >>> Then I added that domain user account to the IIS_WPG group.
    >>>
    >>> When I try to access the web site/service from IE on another machine
    >>> I see my initial logon page but after entering a username/password IE
    >>> displays a Service Unavailable message.
    >>>
    >>> Before I made the changes above, I would get an error indicating that
    >>> SQL had denied me access.
    >>>
    >>> Did I miss something?
    >>>
    >>> RichardF
    >>>
    >>> On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]
    >>> <> wrote:
    >>>
    >>>> Hello RichardF,
    >>>>
    >>>> you can configure the identity of your web service using the
    >>>> Application Pool feature of IIS6.
    >>>>
    >>>> Add a new AppPool - give it an identity (local or domain) - and add
    >>>> the web service application to the AppPool (WebApp properties)
    >>>>
    >>>> Add the account to IIS_WPG and give it access to
    >>>> \windows\microsoft.net\framework\v\temporary asp.net files\ and
    >>>> \windows\temp
    >>>>
    >>>> HTH
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> I have an ASP.NET Web Service and Web Site. It accesses a SQL
    >>>>> database for its data and retrieves images from another server.
    >>>>>
    >>>>> There are 4 servers all running Win 2003 as follows...
    >>>>>
    >>>>> 1 - Domain Controller
    >>>>> 2 - SQL Server
    >>>>> 3 - IIS Server (runs Web Service and Web Site)
    >>>>> 4 - File Server (stores all the image files)
    >>>>> I am having lots of issues with permissions because my Web Service
    >>>>> is
    >>>>> running as a user under a LOCAL group IIS_WPG on the IIS Server and
    >>>>> I
    >>>>> don't know how to give it the necessary permissions to access the
    >>>>> SQL
    >>>>> Server and the Images on different machines.
    >>>>> I think what I need to do is create a Domain Account, give it the
    >>>>> appropriate permissions and then somehow get my Web Service to run
    >>>>> using that user account. I did try this using 'impersonate' but
    >>>>> then it appeared i didn't have permission to tun ASP.NET stuff!
    >>>>>
    >>>>> Can anyone give me tips on how to accomplish this, or point me to a
    >>>>> resource that explains how I can accomplish this.
    >>>>>
    >>>>> Thanks for any help
    >>>>>
    >>>>> RichardF
    >>>>>

    >
    >
     
    RichardF, Apr 28, 2005
    #8
  9. Did you try logging in to the server with that domain account to be sure
    that you have the credentials right and it can log on locally?

    Joe K.

    "RichardF" <> wrote in message
    news:...
    > The event log says that the identity of my app pool is invalid.
    >
    > I created a domain account on the domain server.
    >
    > On the SQL Server I gave that account the appropriate permissions.
    >
    > On the IIS Server I set the identity of the app pool to use that
    > account.
    >
    > What did I do wrong this time!!!
    >
    > RichardF
    >
    > (P.S. Thanks for the help so far - I am learning more that I thought I
    > wanted to!)
    >
    >
    > On Thu, 28 Apr 2005 12:23:14 -0700, Dominick Baier [DevelopMentor]
    > <> wrote:
    >
    >>Hello RichardF,
    >>
    >>check the event log! that's most of the time a password typo.
    >>
    >>but the system log will give you more info.
    >>
    >>otherwise change the default apppool back to network service - and try
    >>adding
    >>a new migrating gradually your web apps to this new pool.
    >>
    >>HTH
    >>
    >>---------------------------------------
    >>Dominick Baier - DevelopMentor
    >>http://www.leastprivilege.com
    >>
    >>> Actually it appears I now get Service Unavailable whenever I try to
    >>> access IIS on that machine, even the default root website.
    >>>
    >>> On Thu, 28 Apr 2005 14:10:53 -0500, RichardF <>
    >>> wrote:
    >>>
    >>>> After installing my web service and web site, they had already been
    >>>> added to a default App Pool.
    >>>>
    >>>> I right clicked the app pool, went to the identity tab and changed it
    >>>> to use the domain user account I have created.
    >>>>
    >>>> Then I added that domain user account to the IIS_WPG group.
    >>>>
    >>>> When I try to access the web site/service from IE on another machine
    >>>> I see my initial logon page but after entering a username/password IE
    >>>> displays a Service Unavailable message.
    >>>>
    >>>> Before I made the changes above, I would get an error indicating that
    >>>> SQL had denied me access.
    >>>>
    >>>> Did I miss something?
    >>>>
    >>>> RichardF
    >>>>
    >>>> On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]
    >>>> <> wrote:
    >>>>
    >>>>> Hello RichardF,
    >>>>>
    >>>>> you can configure the identity of your web service using the
    >>>>> Application Pool feature of IIS6.
    >>>>>
    >>>>> Add a new AppPool - give it an identity (local or domain) - and add
    >>>>> the web service application to the AppPool (WebApp properties)
    >>>>>
    >>>>> Add the account to IIS_WPG and give it access to
    >>>>> \windows\microsoft.net\framework\v\temporary asp.net files\ and
    >>>>> \windows\temp
    >>>>>
    >>>>> HTH
    >>>>>
    >>>>> ---------------------------------------
    >>>>> Dominick Baier - DevelopMentor
    >>>>> http://www.leastprivilege.com
    >>>>>> I have an ASP.NET Web Service and Web Site. It accesses a SQL
    >>>>>> database for its data and retrieves images from another server.
    >>>>>>
    >>>>>> There are 4 servers all running Win 2003 as follows...
    >>>>>>
    >>>>>> 1 - Domain Controller
    >>>>>> 2 - SQL Server
    >>>>>> 3 - IIS Server (runs Web Service and Web Site)
    >>>>>> 4 - File Server (stores all the image files)
    >>>>>> I am having lots of issues with permissions because my Web Service
    >>>>>> is
    >>>>>> running as a user under a LOCAL group IIS_WPG on the IIS Server and
    >>>>>> I
    >>>>>> don't know how to give it the necessary permissions to access the
    >>>>>> SQL
    >>>>>> Server and the Images on different machines.
    >>>>>> I think what I need to do is create a Domain Account, give it the
    >>>>>> appropriate permissions and then somehow get my Web Service to run
    >>>>>> using that user account. I did try this using 'impersonate' but
    >>>>>> then it appeared i didn't have permission to tun ASP.NET stuff!
    >>>>>>
    >>>>>> Can anyone give me tips on how to accomplish this, or point me to a
    >>>>>> resource that explains how I can accomplish this.
    >>>>>>
    >>>>>> Thanks for any help
    >>>>>>
    >>>>>> RichardF
    >>>>>>

    >>
    >>

    >
     
    Joe Kaplan \(MVP - ADSI\), Apr 28, 2005
    #9
  10. Hello Joe,

    and have you cleared "has to change password on first login" ??

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Did you try logging in to the server with that domain account to be
    > sure that you have the credentials right and it can log on locally?
    >
    > Joe K.
    >
    > "RichardF" <> wrote in message
    > news:...
    >
    >> The event log says that the identity of my app pool is invalid.
    >>
    >> I created a domain account on the domain server.
    >>
    >> On the SQL Server I gave that account the appropriate permissions.
    >>
    >> On the IIS Server I set the identity of the app pool to use that
    >> account.
    >>
    >> What did I do wrong this time!!!
    >>
    >> RichardF
    >>
    >> (P.S. Thanks for the help so far - I am learning more that I thought
    >> I wanted to!)
    >>
    >> On Thu, 28 Apr 2005 12:23:14 -0700, Dominick Baier [DevelopMentor]
    >> <> wrote:
    >>
    >>> Hello RichardF,
    >>>
    >>> check the event log! that's most of the time a password typo.
    >>>
    >>> but the system log will give you more info.
    >>>
    >>> otherwise change the default apppool back to network service - and
    >>> try
    >>> adding
    >>> a new migrating gradually your web apps to this new pool.
    >>> HTH
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> Actually it appears I now get Service Unavailable whenever I try to
    >>>> access IIS on that machine, even the default root website.
    >>>>
    >>>> On Thu, 28 Apr 2005 14:10:53 -0500, RichardF <>
    >>>> wrote:
    >>>>
    >>>>> After installing my web service and web site, they had already
    >>>>> been added to a default App Pool.
    >>>>>
    >>>>> I right clicked the app pool, went to the identity tab and changed
    >>>>> it to use the domain user account I have created.
    >>>>>
    >>>>> Then I added that domain user account to the IIS_WPG group.
    >>>>>
    >>>>> When I try to access the web site/service from IE on another
    >>>>> machine I see my initial logon page but after entering a
    >>>>> username/password IE displays a Service Unavailable message.
    >>>>>
    >>>>> Before I made the changes above, I would get an error indicating
    >>>>> that SQL had denied me access.
    >>>>>
    >>>>> Did I miss something?
    >>>>>
    >>>>> RichardF
    >>>>>
    >>>>> On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]
    >>>>> <> wrote:
    >>>>>
    >>>>>> Hello RichardF,
    >>>>>>
    >>>>>> you can configure the identity of your web service using the
    >>>>>> Application Pool feature of IIS6.
    >>>>>>
    >>>>>> Add a new AppPool - give it an identity (local or domain) - and
    >>>>>> add the web service application to the AppPool (WebApp
    >>>>>> properties)
    >>>>>>
    >>>>>> Add the account to IIS_WPG and give it access to
    >>>>>> \windows\microsoft.net\framework\v\temporary asp.net files\ and
    >>>>>> \windows\temp
    >>>>>>
    >>>>>> HTH
    >>>>>>
    >>>>>> ---------------------------------------
    >>>>>> Dominick Baier - DevelopMentor
    >>>>>> http://www.leastprivilege.com
    >>>>>>> I have an ASP.NET Web Service and Web Site. It accesses a SQL
    >>>>>>> database for its data and retrieves images from another server.
    >>>>>>>
    >>>>>>> There are 4 servers all running Win 2003 as follows...
    >>>>>>>
    >>>>>>> 1 - Domain Controller
    >>>>>>> 2 - SQL Server
    >>>>>>> 3 - IIS Server (runs Web Service and Web Site)
    >>>>>>> 4 - File Server (stores all the image files)
    >>>>>>> I am having lots of issues with permissions because my Web
    >>>>>>> Service
    >>>>>>> is
    >>>>>>> running as a user under a LOCAL group IIS_WPG on the IIS Server
    >>>>>>> and
    >>>>>>> I
    >>>>>>> don't know how to give it the necessary permissions to access
    >>>>>>> the
    >>>>>>> SQL
    >>>>>>> Server and the Images on different machines.
    >>>>>>> I think what I need to do is create a Domain Account, give it
    >>>>>>> the
    >>>>>>> appropriate permissions and then somehow get my Web Service to
    >>>>>>> run
    >>>>>>> using that user account. I did try this using 'impersonate' but
    >>>>>>> then it appeared i didn't have permission to tun ASP.NET stuff!
    >>>>>>> Can anyone give me tips on how to accomplish this, or point me
    >>>>>>> to a resource that explains how I can accomplish this.
    >>>>>>>
    >>>>>>> Thanks for any help
    >>>>>>>
    >>>>>>> RichardF
    >>>>>>>
     
    Dominick Baier [DevelopMentor], Apr 29, 2005
    #10
  11. RichardF

    RichardF Guest

    Logging in works OK, the user and password are OK, but I think I
    messed up the password before.

    I made sure it is OK now.

    So, my web service and web site are in their own app group. It's
    identity is set to the domain user.

    Now, when I try to access the web site from the IIS machine (where it
    is hosted) I get a message saying "File or assembly name XXX.dll, or
    one of its dependencies, was not found"

    Each time i refresh the page the name XXX.dll changes.

    Help!

    RichardF


    On Thu, 28 Apr 2005 23:00:43 -0700, Dominick Baier [DevelopMentor]
    <> wrote:

    >Hello Joe,
    >
    >and have you cleared "has to change password on first login" ??
    >
    >---------------------------------------
    >Dominick Baier - DevelopMentor
    >http://www.leastprivilege.com
    >
    >> Did you try logging in to the server with that domain account to be
    >> sure that you have the credentials right and it can log on locally?
    >>
    >> Joe K.
    >>
    >> "RichardF" <> wrote in message
    >> news:...
    >>
    >>> The event log says that the identity of my app pool is invalid.
    >>>
    >>> I created a domain account on the domain server.
    >>>
    >>> On the SQL Server I gave that account the appropriate permissions.
    >>>
    >>> On the IIS Server I set the identity of the app pool to use that
    >>> account.
    >>>
    >>> What did I do wrong this time!!!
    >>>
    >>> RichardF
    >>>
    >>> (P.S. Thanks for the help so far - I am learning more that I thought
    >>> I wanted to!)
    >>>
    >>> On Thu, 28 Apr 2005 12:23:14 -0700, Dominick Baier [DevelopMentor]
    >>> <> wrote:
    >>>
    >>>> Hello RichardF,
    >>>>
    >>>> check the event log! that's most of the time a password typo.
    >>>>
    >>>> but the system log will give you more info.
    >>>>
    >>>> otherwise change the default apppool back to network service - and
    >>>> try
    >>>> adding
    >>>> a new migrating gradually your web apps to this new pool.
    >>>> HTH
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> Actually it appears I now get Service Unavailable whenever I try to
    >>>>> access IIS on that machine, even the default root website.
    >>>>>
    >>>>> On Thu, 28 Apr 2005 14:10:53 -0500, RichardF <>
    >>>>> wrote:
    >>>>>
    >>>>>> After installing my web service and web site, they had already
    >>>>>> been added to a default App Pool.
    >>>>>>
    >>>>>> I right clicked the app pool, went to the identity tab and changed
    >>>>>> it to use the domain user account I have created.
    >>>>>>
    >>>>>> Then I added that domain user account to the IIS_WPG group.
    >>>>>>
    >>>>>> When I try to access the web site/service from IE on another
    >>>>>> machine I see my initial logon page but after entering a
    >>>>>> username/password IE displays a Service Unavailable message.
    >>>>>>
    >>>>>> Before I made the changes above, I would get an error indicating
    >>>>>> that SQL had denied me access.
    >>>>>>
    >>>>>> Did I miss something?
    >>>>>>
    >>>>>> RichardF
    >>>>>>
    >>>>>> On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]
    >>>>>> <> wrote:
    >>>>>>
    >>>>>>> Hello RichardF,
    >>>>>>>
    >>>>>>> you can configure the identity of your web service using the
    >>>>>>> Application Pool feature of IIS6.
    >>>>>>>
    >>>>>>> Add a new AppPool - give it an identity (local or domain) - and
    >>>>>>> add the web service application to the AppPool (WebApp
    >>>>>>> properties)
    >>>>>>>
    >>>>>>> Add the account to IIS_WPG and give it access to
    >>>>>>> \windows\microsoft.net\framework\v\temporary asp.net files\ and
    >>>>>>> \windows\temp
    >>>>>>>
    >>>>>>> HTH
    >>>>>>>
    >>>>>>> ---------------------------------------
    >>>>>>> Dominick Baier - DevelopMentor
    >>>>>>> http://www.leastprivilege.com
    >>>>>>>> I have an ASP.NET Web Service and Web Site. It accesses a SQL
    >>>>>>>> database for its data and retrieves images from another server.
    >>>>>>>>
    >>>>>>>> There are 4 servers all running Win 2003 as follows...
    >>>>>>>>
    >>>>>>>> 1 - Domain Controller
    >>>>>>>> 2 - SQL Server
    >>>>>>>> 3 - IIS Server (runs Web Service and Web Site)
    >>>>>>>> 4 - File Server (stores all the image files)
    >>>>>>>> I am having lots of issues with permissions because my Web
    >>>>>>>> Service
    >>>>>>>> is
    >>>>>>>> running as a user under a LOCAL group IIS_WPG on the IIS Server
    >>>>>>>> and
    >>>>>>>> I
    >>>>>>>> don't know how to give it the necessary permissions to access
    >>>>>>>> the
    >>>>>>>> SQL
    >>>>>>>> Server and the Images on different machines.
    >>>>>>>> I think what I need to do is create a Domain Account, give it
    >>>>>>>> the
    >>>>>>>> appropriate permissions and then somehow get my Web Service to
    >>>>>>>> run
    >>>>>>>> using that user account. I did try this using 'impersonate' but
    >>>>>>>> then it appeared i didn't have permission to tun ASP.NET stuff!
    >>>>>>>> Can anyone give me tips on how to accomplish this, or point me
    >>>>>>>> to a resource that explains how I can accomplish this.
    >>>>>>>>
    >>>>>>>> Thanks for any help
    >>>>>>>>
    >>>>>>>> RichardF
    >>>>>>>>

    >
    >
     
    RichardF, Apr 29, 2005
    #11
  12. Hello RichardF,

    make sure the account your worker process runs under hat full control to

    \windows\micrsosoft.net\framework\v1.x\tempory asp.net files
    \windows\temp

    the account is in the IIS_WPG group?

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Logging in works OK, the user and password are OK, but I think I
    > messed up the password before.
    >
    > I made sure it is OK now.
    >
    > So, my web service and web site are in their own app group. It's
    > identity is set to the domain user.
    >
    > Now, when I try to access the web site from the IIS machine (where it
    > is hosted) I get a message saying "File or assembly name XXX.dll, or
    > one of its dependencies, was not found"
    >
    > Each time i refresh the page the name XXX.dll changes.
    >
    > Help!
    >
    > RichardF
    >
    > On Thu, 28 Apr 2005 23:00:43 -0700, Dominick Baier [DevelopMentor]
    > <> wrote:
    >
    >> Hello Joe,
    >>
    >> and have you cleared "has to change password on first login" ??
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Did you try logging in to the server with that domain account to be
    >>> sure that you have the credentials right and it can log on locally?
    >>>
    >>> Joe K.
    >>>
    >>> "RichardF" <> wrote in message
    >>> news:...
    >>>> The event log says that the identity of my app pool is invalid.
    >>>>
    >>>> I created a domain account on the domain server.
    >>>>
    >>>> On the SQL Server I gave that account the appropriate permissions.
    >>>>
    >>>> On the IIS Server I set the identity of the app pool to use that
    >>>> account.
    >>>>
    >>>> What did I do wrong this time!!!
    >>>>
    >>>> RichardF
    >>>>
    >>>> (P.S. Thanks for the help so far - I am learning more that I
    >>>> thought I wanted to!)
    >>>>
    >>>> On Thu, 28 Apr 2005 12:23:14 -0700, Dominick Baier [DevelopMentor]
    >>>> <> wrote:
    >>>>
    >>>>> Hello RichardF,
    >>>>>
    >>>>> check the event log! that's most of the time a password typo.
    >>>>>
    >>>>> but the system log will give you more info.
    >>>>>
    >>>>> otherwise change the default apppool back to network service - and
    >>>>> try
    >>>>> adding
    >>>>> a new migrating gradually your web apps to this new pool.
    >>>>> HTH
    >>>>> ---------------------------------------
    >>>>> Dominick Baier - DevelopMentor
    >>>>> http://www.leastprivilege.com
    >>>>>> Actually it appears I now get Service Unavailable whenever I try
    >>>>>> to access IIS on that machine, even the default root website.
    >>>>>>
    >>>>>> On Thu, 28 Apr 2005 14:10:53 -0500, RichardF <>
    >>>>>> wrote:
    >>>>>>
    >>>>>>> After installing my web service and web site, they had already
    >>>>>>> been added to a default App Pool.
    >>>>>>>
    >>>>>>> I right clicked the app pool, went to the identity tab and
    >>>>>>> changed it to use the domain user account I have created.
    >>>>>>>
    >>>>>>> Then I added that domain user account to the IIS_WPG group.
    >>>>>>>
    >>>>>>> When I try to access the web site/service from IE on another
    >>>>>>> machine I see my initial logon page but after entering a
    >>>>>>> username/password IE displays a Service Unavailable message.
    >>>>>>>
    >>>>>>> Before I made the changes above, I would get an error indicating
    >>>>>>> that SQL had denied me access.
    >>>>>>>
    >>>>>>> Did I miss something?
    >>>>>>>
    >>>>>>> RichardF
    >>>>>>>
    >>>>>>> On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier
    >>>>>>> [DevelopMentor] <> wrote:
    >>>>>>>
    >>>>>>>> Hello RichardF,
    >>>>>>>>
    >>>>>>>> you can configure the identity of your web service using the
    >>>>>>>> Application Pool feature of IIS6.
    >>>>>>>>
    >>>>>>>> Add a new AppPool - give it an identity (local or domain) - and
    >>>>>>>> add the web service application to the AppPool (WebApp
    >>>>>>>> properties)
    >>>>>>>>
    >>>>>>>> Add the account to IIS_WPG and give it access to
    >>>>>>>> \windows\microsoft.net\framework\v\temporary asp.net files\ and
    >>>>>>>> \windows\temp
    >>>>>>>>
    >>>>>>>> HTH
    >>>>>>>>
    >>>>>>>> ---------------------------------------
    >>>>>>>> Dominick Baier - DevelopMentor
    >>>>>>>> http://www.leastprivilege.com
    >>>>>>>>> I have an ASP.NET Web Service and Web Site. It accesses a
    >>>>>>>>> SQL database for its data and retrieves images from another
    >>>>>>>>> server.
    >>>>>>>>>
    >>>>>>>>> There are 4 servers all running Win 2003 as follows...
    >>>>>>>>>
    >>>>>>>>> 1 - Domain Controller
    >>>>>>>>> 2 - SQL Server
    >>>>>>>>> 3 - IIS Server (runs Web Service and Web Site)
    >>>>>>>>> 4 - File Server (stores all the image files)
    >>>>>>>>> I am having lots of issues with permissions because my Web
    >>>>>>>>> Service
    >>>>>>>>> is
    >>>>>>>>> running as a user under a LOCAL group IIS_WPG on the IIS
    >>>>>>>>> Server
    >>>>>>>>> and
    >>>>>>>>> I
    >>>>>>>>> don't know how to give it the necessary permissions to access
    >>>>>>>>> the
    >>>>>>>>> SQL
    >>>>>>>>> Server and the Images on different machines.
    >>>>>>>>> I think what I need to do is create a Domain Account, give it
    >>>>>>>>> the
    >>>>>>>>> appropriate permissions and then somehow get my Web Service to
    >>>>>>>>> run
    >>>>>>>>> using that user account. I did try this using 'impersonate'
    >>>>>>>>> but
    >>>>>>>>> then it appeared i didn't have permission to tun ASP.NET
    >>>>>>>>> stuff!
    >>>>>>>>> Can anyone give me tips on how to accomplish this, or point me
    >>>>>>>>> to a resource that explains how I can accomplish this.
    >>>>>>>>> Thanks for any help
    >>>>>>>>>
    >>>>>>>>> RichardF
    >>>>>>>>>
     
    Dominick Baier [DevelopMentor], Apr 29, 2005
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Dalberg
    Replies:
    0
    Views:
    433
    John Dalberg
    Oct 6, 2003
  2. Eric Ritzie

    Creating an ASP.Net Web App to Win2003

    Eric Ritzie, Dec 3, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    326
    Cowboy \(Gregory A. Beamer\)
    Dec 3, 2003
  3. RichardF

    ASPNET app on Win2003

    RichardF, Apr 21, 2005, in forum: ASP .Net
    Replies:
    3
    Views:
    393
    Juan T. Llibre
    Apr 21, 2005
  4. Replies:
    0
    Views:
    412
  5. John Dalberg
    Replies:
    2
    Views:
    247
    John Dalberg
    Oct 7, 2003
Loading...

Share This Page