Professional Web Applications Themes

FIX: ASP.NET Does Not Work with the Default ASPNET Account on a Domain Controller - ASP.NET Security

Hello there people As taken from the KB ... After you install Microsoft Visual Studio .NET or the Microsoft .NET Framework on a domain controller or on a backup domain controller, if you try to run an ASP.NET application, the browser displays the following error message: Server Application Unavailable. I've encountered the above problem as described in KB Aricle Number 315158 [url]http://support.microsoft.com/default.aspx?scid=kb;[/url][LN];Q315158 One of the 3 recommended resolutions was - < Set the userName attribute to SYSTEM in the <processModel> section of the Machine.config file. > - which I choose. Does anyone have input as to how risky this might ...

  1. #1

    Default FIX: ASP.NET Does Not Work with the Default ASPNET Account on a Domain Controller

    Hello there people

    As taken from the KB ...

    After you install Microsoft Visual Studio .NET or the Microsoft .NET
    Framework on a domain controller or on a backup domain controller, if
    you try to run an ASP.NET application, the browser displays the
    following error message: Server Application Unavailable. I've
    encountered the above problem as described in KB Aricle Number 315158
    [url]http://support.microsoft.com/default.aspx?scid=kb;[/url][LN];Q315158

    One of the 3 recommended resolutions was - < Set the userName
    attribute to SYSTEM in the <processModel> section of the
    Machine.config file. > - which I choose.

    Does anyone have input as to how risky this might be ? This is a web
    server that hosts does DNS, SQL and IIS on Win2k.

    I've been getting varying opinions on this.

    Thanks,

    Bill
    Bill Kellaway Guest

  2. #2

    Default RE: FIX: ASP.NET Does Not Work with the Default ASPNET Account on a Domain Controller

    Basically, this is not recommended because it will make your system
    vulnerable. By running the process as the System account this basically
    means that if anyone were able to get control of this process they would
    have all of the priviledges that SYSTEM would have on the server and as you
    know it has many.

    My suggestion would be to Create a weak account that has the correct
    permissions, and then
    configure the <processModel> section of the Machine.config file to use
    that account.

    Here are some simple steps you can follow to grant NTFS permissions.
    Keep in mind that if you are running the 1.0 framework you will need to
    replace v1.1.4322 with v1.0.3705

    1. Create the domain user and grant it "Log on as a Service", "Log on as a
    Batch Job", "Deny Logon Locally", “Access this Computer from the Network”
    2. Add domain user to the local Users Group
    3. Grant domain user read access to C:\Winnt\microsoft.net
    4. Grant domain user Full Control to C:\WINNT\TEMP
    5. Grant domain user Full Control to
    C:\winnt\Microsoft.Net\framework\v1.1.4322\Tempora ry Asp.Net files
    6. Grant domain user Read access
    toC:\WINNT\Microsoft.Net\Framework\v1.1.4322
    7. Ensure domain user has Read access
    toC:\Winnt\Microsoft.Net\Framework\v1.1.4322\confi g
    8. Ensure domain user has Read access to C:\Winnt\Assembly
    Note: You should use the following command to add permissions to this
    folder because it is a special folder and does not have a security tab
    cacls c:\winnt\assembly /e /t /p domain\useraccount:R

    9. Modify the
    c:\winnt\microsoft.net\framework\v1.1.4322\config\ machine.config under
    <processModel> change these lines to read
    Username="domain\user"
    Password="password"
    10. Restart IIS for the machine.config changes to take effect

    You can use the following command to enforce the policy changes without a
    reboot:
    SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE

    This posting is provided "AS IS" with no warranties, and confers no rights.

    Holly

    Holly Mazerolle Guest

  3. #3

    Default Re: FIX: ASP.NET Does Not Work with the Default ASPNET Account on a Domain Controller

    [email]hollymamsftonline.microsoft.com[/email] (Holly Mazerolle) wrote in message news:<7br6SKq3DHA.2996cpmsftngxa07.phx.gbl>...
    > Basically, this is not recommended because it will make your system
    > vulnerable. By running the process as the System account this basically
    > means that if anyone were able to get control of this process they would
    > have all of the priviledges that SYSTEM would have on the server and as you
    > know it has many.
    >
    > My suggestion would be to Create a weak account that has the correct
    > permissions, and then
    > configure the <processModel> section of the Machine.config file to use
    > that account.
    >
    > Here are some simple steps you can follow to grant NTFS permissions.
    > Keep in mind that if you are running the 1.0 framework you will need to
    > replace v1.1.4322 with v1.0.3705
    >
    > 1. Create the domain user and grant it "Log on as a Service", "Log on as a
    > Batch Job", "Deny Logon Locally", ?Access this Computer from the Network?
    > 2. Add domain user to the local Users Group
    > 3. Grant domain user read access to C:\Winnt\microsoft.net
    > 4. Grant domain user Full Control to C:\WINNT\TEMP
    > 5. Grant domain user Full Control to
    > C:\winnt\Microsoft.Net\framework\v1.1.4322\Tempora ry Asp.Net files
    > 6. Grant domain user Read access
    > toC:\WINNT\Microsoft.Net\Framework\v1.1.4322
    > 7. Ensure domain user has Read access
    > toC:\Winnt\Microsoft.Net\Framework\v1.1.4322\confi g
    > 8. Ensure domain user has Read access to C:\Winnt\Assembly
    > Note: You should use the following command to add permissions to this
    > folder because it is a special folder and does not have a security tab
    > cacls c:\winnt\assembly /e /t /p domain\useraccount:R
    >
    > 9. Modify the
    > c:\winnt\microsoft.net\framework\v1.1.4322\config\ machine.config under
    > <processModel> change these lines to read
    > Username="domain\user"
    > Password="password"
    > 10. Restart IIS for the machine.config changes to take effect
    >
    > You can use the following command to enforce the policy changes without a
    > reboot:
    > SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
    >
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    > Holly

    Thank you Holly ! It worked perfectly. One question - it's my
    understanding that the machine.config file is XML. Therefore is the
    "domain\user" case sensitive ???

    Thanks again .. Yippee !!!!!
    Bill Kellaway Guest

  4. #4

    Default Re: FIX: ASP.NET Does Not Work with the Default ASPNET Account on a Domain Controller

    It is XML but that string with domain/username should not be case sensitive
    for the file.

    I am glad it worked.

    This posting is provided "AS IS" with no warranties, and confers no rights.

    Holly

    Holly Mazerolle Guest

  5. #5

    Default Re: FIX: ASP.NET Does Not Work with the Default ASPNET Account on a Domain Controller

    That might depend on what version of the framework you are running under.

    1.0 has a bug where WindowsPrincipal.IsInRole IS case-sensitive. This is
    fixed in 1.1 of the framework.

    I have seen case sensitivity be a problem under 1.0 in this situation.

    Joe K.

    "Holly Mazerolle" <hollymamsftonline.microsoft.com> wrote in message
    news:2cCsQU13DHA.3348cpmsftngxa07.phx.gbl...
    > It is XML but that string with domain/username should not be case
    sensitive
    > for the file.
    >
    > I am glad it worked.
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    >
    > Holly
    >

    Joe Kaplan \(MVP - ADSI\) Guest

Similar Threads

  1. Replies: 6
    Last Post: March 16th, 05:00 PM
  2. restoring default permissions for aspnet account
    By DC Gringo in forum ASP.NET Security
    Replies: 1
    Last Post: November 18th, 05:01 PM
  3. Replies: 0
    Last Post: June 24th, 08:41 AM
  4. ASPNET account and Domain Controller
    By Richard Chandler in forum ASP.NET Security
    Replies: 3
    Last Post: May 5th, 02:49 PM
  5. how to recreate the default ASPNET account ?
    By Carl Prothman [MVP] in forum ASP.NET General
    Replies: 0
    Last Post: August 9th, 06:47 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139