Is it safe to use IWAM_<machine name> account for aspnet_wp.exe?

This question references to KB articles:
[url]http://support.microsoft.com/default.aspx?scid=kb;EN-US;315158[/url]
[url]http://support.microsoft.com/default.aspx?scid=kb;EN-US;317012[/url]

I'm running Advanced Server 2000 as a domain controller with IIS 5 (I know I
shouldn't be doing this - just a test machine). I am using the default
ASP.NET (v1.1) machine.config file.....

<processModel..... userName="machine" password="AutoGenerate"..... />

According to KB317012....."The machine and the AutoGenerate values instruct
ASP.NET to use the built-in ASPNET account and to use a cryptographically
strong, random password that is stored in the Local Security Authority (LSA)
for that account."

On my machine this causes the worker process (Aspnet_wp.exe) to run under
the IWAM_<machine name> account instead.
Is this safe? (I've disabled the ASPNET account as it dosn't seam to be
needed). In order to get the SDK samples to work with my SQL Server, I've
added IWAM_<machine name> as a login and database user. Is this safe?

Also, it seams I have to add IWAM_<machine name> to any virtual directory
that uses ASP.NET. I get two error messages from source USERENV in the
Application Log every time Aspnet_wp.exe starts up.....

Event ID: 1000
Windows cannot log you on because the profile cannot be loaded. Contact your
network administrator.
DETAIL - Cannot create a file when that file already exists.

Event ID: 1000
Windows cannot copy file <Document and Settings\ Default
User\Favourites\Links> to location <Document and Settings\My
Domain\IWAM_<machine name>\Favourites\Links>. Contact your network
administrator.
DETAIL - Cannot create a file when that file already exists.

...... and a <My Domain Name> folder is created in the Document and Settings
folder (if it dosn't already exist - it remains empty).

Thanks

[Bassel Tabbara [MSFT]]

Hello,
As the article is suggesting:
"To work around this problem, use one of the following methods:



- Create a weak account that has the correct permissions, and then
configure the <processModel> section of the Machine.config file to use
that account.

- Set the userName attribute to SYSTEM in the <processModel> section of
the Machine.config file.

- Configure the <processModel> section of the Machine.config file to
use an administrator account.

NOTE: Allowing ASP.NET applications to run as SYSTEM or an administrator
account has serious
security implications. If you use either of these workarounds, code that is
run in the Aspnet_wp.exe
process will have access to the domain controller and the domain settings.
Executable files that are
started from the Aspnet_wp.exe process run in the same context and also
have access to the domain
controller.

Did you try any of these workarounds?

For .Net Framework 1.1 the ASPNET account is not supposed to be created on
a
Win2K server promoted to a DC. In this case, ASP.NET is supposed to run as
the IWAM
account
There are 3 options when you install this version of the framework on a
Windows
2000 DC:
1. Give IWAM the correct permission to run the app <"machine" now maps to
this
user">
2. Create a new account and grant the correct permissions
3. Run the process as SYSTEM

Please let me know if you have more questions on this.

Thanks,
Bassel Tabbara
Microsoft, ASP.NET

This posting is provided "AS IS", with no warranties, and confers no rights.


--------------------
| From: <.>
| Subject: Is it safe to use IWAM_<machine name> account for aspnet_wp.exe?
| Date: Tue, 1 Jul 2003 10:41:06 -0400
| Lines: 43
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <uMLdP79PDHA.3192@TK2MSFTNGP10.phx.gbl>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: d150-83-130.home.cgocable.net 24.150.83.130
| Path: cpmsftngxa09.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
| Xref: cpmsftngxa09.phx.gbl microsoft.public.dotnet.framework.aspnet:31390
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| This question references to KB articles:
| [url]http://support.microsoft.com/default.aspx?scid=kb;EN-US;315158[/url]
| [url]http://support.microsoft.com/default.aspx?scid=kb;EN-US;317012[/url]
|
| I'm running Advanced Server 2000 as a domain controller with IIS 5 (I
know I
| shouldn't be doing this - just a test machine). I am using the default
| ASP.NET (v1.1) machine.config file.....
|
| <processModel..... userName="machine" password="AutoGenerate"..... />
|
| According to KB317012....."The machine and the AutoGenerate values
instruct
| ASP.NET to use the built-in ASPNET account and to use a cryptographically
| strong, random password that is stored in the Local Security Authority
(LSA)
| for that account."
|
| On my machine this causes the worker process (Aspnet_wp.exe) to run under
| the IWAM_<machine name> account instead.
| Is this safe? (I've disabled the ASPNET account as it dosn't seam to be
| needed). In order to get the SDK samples to work with my SQL Server, I've
| added IWAM_<machine name> as a login and database user. Is this safe?
|
| Also, it seams I have to add IWAM_<machine name> to any virtual directory
| that uses ASP.NET. I get two error messages from source USERENV in the
| Application Log every time Aspnet_wp.exe starts up.....
|
| Event ID: 1000
| Windows cannot log you on because the profile cannot be loaded. Contact
your
| network administrator.
| DETAIL - Cannot create a file when that file already exists.
|
| Event ID: 1000
| Windows cannot copy file <Document and Settings\ Default
| User\Favourites\Links> to location <Document and Settings\My
| Domain\IWAM_<machine name>\Favourites\Links>. Contact your network
| administrator.
| DETAIL - Cannot create a file when that file already exists.
|
| ..... and a <My Domain Name> folder is created in the Document and
Settings
| folder (if it dosn't already exist - it remains empty).
|
| Thanks
|
|
|

I'm using the IWAM account. It seams to work but for some reason it creates
an empty folder by the name of my domain under the Document and Settings
profile directory. It also generates the two errors mentioned in my first
post. I'm aware of the KB advice but why not continue to use IWAM?

[Bassel Tabbara [MSFT]]

Hello,
As I mentioned in my previous post, in ASP.Net 1.1 the IWAM account is used
on a Domain Controller in place of
the ASPNET account. You should be fine using this account. It is safe and
there is nothing to worry about.
Concerning the folders created under Document and Settings, this is normal
behavior.

Please let me know if you need any more help on this.


Thanks,
Bassel Tabbara
Microsoft, ASP.NET

This posting is provided "AS IS", with no warranties, and confers no rights.


--------------------
| From: <.>
| References: <uMLdP79PDHA.3192@TK2MSFTNGP10.phx.gbl>
<KvPCQc$PDHA.1724@cpmsftngxa09.phx.gbl>
| Subject: Re: Is it safe to use IWAM_<machine name> account for
aspnet_wp.exe?
| Date: Tue, 1 Jul 2003 20:51:48 -0400
| Lines: 6
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <e#0nfQDQDHA.2636@TK2MSFTNGP10.phx.gbl>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: d150-83-130.home.cgocable.net 24.150.83.130
| Path: cpmsftngxa09.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
| Xref: cpmsftngxa09.phx.gbl microsoft.public.dotnet.framework.aspnet:31593
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| I'm using the IWAM account. It seams to work but for some reason it
creates
| an empty folder by the name of my domain under the Document and Settings
| profile directory. It also generates the two errors mentioned in my first
| post. I'm aware of the KB advice but why not continue to use IWAM?
|
|
|