Set username to "system" in machine.config, but ASP.NET running as NETWORK SERVICE

Discussion in 'ASP .Net' started by wizofaus@hotmail.com, Dec 30, 2006.

  1. Guest

    I've now created the same setup on four different machines, where I'm
    changing the processModel section machine.config so that ASP.NET (1.1)
    runs as SYSTEM, to give it permission to do various things like access
    the Task Scheduler etc.
    Three of the machines are using IIS 5.1 and work fine. The 4th machine
    is using IIS 6.0, and also has ASP.NET 2.0 installed (but I've made
    sure that the IIS application in question is using ASP.NET 1.1). But
    on this machine, the machine.config setting seems be to getting
    ignored, and the process is running as "NETWORK SERVICE", which does
    *not* have permission to access the Task Scheduler (at least, by
    default - presumably I could grant it this access).
    Any clues why this setting would not work under IIS 6.0? I've tried
    rerunning aspnet_regiis, restarting the web server any number of times,
    but to no avail.

    Thanks.
     
    , Dec 30, 2006
    #1
    1. Advertising

  2. Guest

    wrote:
    > I've now created the same setup on four different machines, where I'm
    > changing the processModel section machine.config so that ASP.NET (1.1)
    > runs as SYSTEM, to give it permission to do various things like access
    > the Task Scheduler etc.
    > Three of the machines are using IIS 5.1 and work fine. The 4th machine
    > is using IIS 6.0, and also has ASP.NET 2.0 installed (but I've made
    > sure that the IIS application in question is using ASP.NET 1.1). But
    > on this machine, the machine.config setting seems be to getting
    > ignored, and the process is running as "NETWORK SERVICE", which does
    > *not* have permission to access the Task Scheduler (at least, by
    > default - presumably I could grant it this access).
    > Any clues why this setting would not work under IIS 6.0? I've tried
    > rerunning aspnet_regiis, restarting the web server any number of times,
    > but to no avail.
    >

    Never mind, found the problem - under IIS 6.0 it appears you have to
    configure the application pool identity instead. I assume then the
    processModel section in machine.config is not used under IIS 6.0.

    Writing an install that can do all this automatically is going to be
    fun.
     
    , Dec 30, 2006
    #2
    1. Advertising

  3. Re: Set username to "system" in machine.config, but ASP.NET runningas NETWORK SERVICE

    wrote:
    > wrote:
    >> I've now created the same setup on four different machines, where I'm
    >> changing the processModel section machine.config so that ASP.NET (1.1)
    >> runs as SYSTEM, to give it permission to do various things like access
    >> the Task Scheduler etc.
    >> Three of the machines are using IIS 5.1 and work fine. The 4th machine
    >> is using IIS 6.0, and also has ASP.NET 2.0 installed (but I've made
    >> sure that the IIS application in question is using ASP.NET 1.1). But
    >> on this machine, the machine.config setting seems be to getting
    >> ignored, and the process is running as "NETWORK SERVICE", which does
    >> *not* have permission to access the Task Scheduler (at least, by
    >> default - presumably I could grant it this access).
    >> Any clues why this setting would not work under IIS 6.0? I've tried
    >> rerunning aspnet_regiis, restarting the web server any number of times,
    >> but to no avail.
    >>

    > Never mind, found the problem - under IIS 6.0 it appears you have to
    > configure the application pool identity instead. I assume then the
    > processModel section in machine.config is not used under IIS 6.0.
    >
    > Writing an install that can do all this automatically is going to be
    > fun.
    >



    Hi,

    Instead of doing these tweaks on installation, you can use impersonation
    - even per application - by add the following line in your application's
    web.config:
    <identity impersonate = "true" userName="SYSTEM"/>
     
    Yinon Ehrlich, Jan 2, 2007
    #3
  4. Guest

    Yinon Ehrlich wrote:
    > wrote:
    > > wrote:
    > >> I've now created the same setup on four different machines, where I'm
    > >> changing the processModel section machine.config so that ASP.NET (1.1)
    > >> runs as SYSTEM, to give it permission to do various things like access
    > >> the Task Scheduler etc.
    > >> Three of the machines are using IIS 5.1 and work fine. The 4th machine
    > >> is using IIS 6.0, and also has ASP.NET 2.0 installed (but I've made
    > >> sure that the IIS application in question is using ASP.NET 1.1). But
    > >> on this machine, the machine.config setting seems be to getting
    > >> ignored, and the process is running as "NETWORK SERVICE", which does
    > >> *not* have permission to access the Task Scheduler (at least, by
    > >> default - presumably I could grant it this access).
    > >> Any clues why this setting would not work under IIS 6.0? I've tried
    > >> rerunning aspnet_regiis, restarting the web server any number of times,
    > >> but to no avail.
    > >>

    > > Never mind, found the problem - under IIS 6.0 it appears you have to
    > > configure the application pool identity instead. I assume then the
    > > processModel section in machine.config is not used under IIS 6.0.
    > >
    > > Writing an install that can do all this automatically is going to be
    > > fun.
    > >

    >
    >
    > Hi,
    >
    > Instead of doing these tweaks on installation, you can use impersonation
    > - even per application - by add the following line in your application's
    > web.config:
    > <identity impersonate = "true" userName="SYSTEM"/>


    Are you sure? That seems like a security loophole - if a
    non-Administrator had write access to a directory containing an ASP.NET
    application, they could easily change it to run as LocalSystem, which
    typically has full access to everything. Certainly our intention is to
    allow support staff write access to the directories where ASP.NET apps
    sit, as the web.config file has some settings they may need to adjust -
    but we certainly wouldn't want to allow them to change the process
    identity (in future versions I hope not to require running as Local
    System, but for now it's the least problematic).
     
    , Jan 2, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Scienty
    Replies:
    0
    Views:
    433
    Scienty
    Aug 28, 2003
  2. Ivan
    Replies:
    1
    Views:
    3,076
    Natty Gur
    May 21, 2004
  3. Guest
    Replies:
    2
    Views:
    167
    Lewis Wang [MSFT]
    Sep 11, 2003
  4. CSharpner
    Replies:
    0
    Views:
    449
    CSharpner
    Apr 19, 2004
  5. Shailesh Patel
    Replies:
    0
    Views:
    478
    Shailesh Patel
    Nov 8, 2006
Loading...

Share This Page