ASP.NET process impresonation on IIS6

[Lauren Buchholz]

Hi, I have an application that was originally designed under IIS5.1 and
ASP.NET that used used a setting in the machine.config that would allow my
worker process to run under a different account. I know that the new worker
process isolation mode changes how this works, but I have been unable to get
my application to run as the account I would like while keeping IIS in
native mode. Anyone know how to do this?

More specifically, we need a .NET app to connect to a PKI based SSL web
service. The way we had it working in the past is that we would create a
limited security account, install the proper certificates in that account,
and then run the worker process as that account. Is there a better way to
do this now in windows 2003?

 

[Ram Sunkara [msft]]

If IIS is running in worker process isolation mode (IIS6 native mode in
Widnows.NET server2003) "processModel" account specified in the
machine.config file is ignored.



If you want to run your web application on a specific account, just simply
change the application pool identity to the account you wanted to run your
web application under. And make sure this is account is a member of local
IIS_WGP group.



You may want to review your application architecture if this is an internet
facing box as there are lots of security issues involved in running the
application pool on a privileged account.

 

[Lauren]

Thanks, I will give that a shot today. When I was playing
around tried all of this, minus the step of adding the
account to the IIS_WPG on the machine and was getting some
strange errors.

Regards

 

[Lauren Buchholz]

Is there a better way to have my asp.net account store the certificate that
it needs to access the web service I am trying to use? My original solution
although functional doesn't seem like it is optimal. I have tried using the
certificates MMC plugin to import the certificate, but the only service I
can see is the web server process itself, which I don't belive is the
correct service to store the personal certificate. Is the only way to have
ASP.NET contact a site via a personal certifcate to use an impersonated
account, or is there a more secure way to do this?

 

[Ram Sunkara [msft]]

Well the easiest way would be import the certificate in to the user store
under which you wanted to run your web application. From your web
application before calling the web service do a RevertToSelf to impersonate
ASP.NET thread security context (in this case the user context you wanted
ASP.NET to run under).

When your call is completed make sure the thread impersonate back the
current user.



Calling RevertToSelf involves InteropServices.



Ram-