Security issues with Win2003 and ASPNet app

Ask a Question related to ASP.NET Security, Design and Development.

  1. RichardF #1

    Default Security issues with Win2003 and ASPNet app

    I have an ASP.NET Web Service and Web Site. It accesses a SQL
    database for its data and retrieves images from another server.

    There are 4 servers all running Win 2003 as follows...

    1 - Domain Controller
    2 - SQL Server
    3 - IIS Server (runs Web Service and Web Site)
    4 - File Server (stores all the image files)

    I am having lots of issues with permissions because my Web Service is
    running as a user under a LOCAL group IIS_WPG on the IIS Server and I
    don't know how to give it the necessary permissions to access the SQL
    Server and the Images on different machines.

    I think what I need to do is create a Domain Account, give it the
    appropriate permissions and then somehow get my Web Service to run
    using that user account. I did try this using 'impersonate' but then
    it appeared i didn't have permission to tun ASP.NET stuff!

    Can anyone give me tips on how to accomplish this, or point me to a
    resource that explains how I can accomplish this.

    Thanks for any help

    RichardF
    RichardF Guest
    Reply With Quote Reply With Quote

    2. Similar Questions and Discussions

    1. Permissions Issues With ASPNET Account
      For some unexplained reason, I am suddenly unable to browse to a virtual directory on my laptop. I have a number of sample websites to which I could...
    2. ASPNET/COM Security E_ACCESS_DENIED error
      Hi there, I am trying to create shortcuts to a desktop and to a Start->Programs menu from a C# client talking to a server (using .NET Remoting)...
    3. ASPNET Account Security Problem - Running a Web Application over a network share
      All, If anyone has been following my trials over the last week see(Setting up a Web Application on IIS 5.1 and ASP.Net Security Problems). I'm...
    4. Issues in locking down aspnet user security in shared environment
      I am trying to lock down file access of some sites in a shared hosting environment so that different users can only access their own site's...
    5. Restricting ASPNET ACLs without breaking ASPNET (newbie-ish)
      Scenario: We have a library with objects that host Jscript for the execution of complex validation code. This library is being called by an ASP.NET...
  2. Dominick Baier [DevelopMentor] #2

    Default Re: Security issues with Win2003 and ASPNet app

    Hello RichardF,

    you can configure the identity of your web service using the Application
    Pool feature of IIS6.

    Add a new AppPool - give it an identity (local or domain) - and add the web
    service application to the AppPool (WebApp properties)

    Add the account to IIS_WPG and give it access to \windows\microsoft.net\framework\v\temporary
    asp.net files\ and \windows\temp

    HTH

    ---------------------------------------
    Dominick Baier - DevelopMentor
    [url]http://www.leastprivilege.com[/url]
    > I have an ASP.NET Web Service and Web Site. It accesses a SQL
    > database for its data and retrieves images from another server.
    >
    > There are 4 servers all running Win 2003 as follows...
    >
    > 1 - Domain Controller
    > 2 - SQL Server
    > 3 - IIS Server (runs Web Service and Web Site)
    > 4 - File Server (stores all the image files)
    > I am having lots of issues with permissions because my Web Service is
    > running as a user under a LOCAL group IIS_WPG on the IIS Server and I
    > don't know how to give it the necessary permissions to access the SQL
    > Server and the Images on different machines.
    >
    > I think what I need to do is create a Domain Account, give it the
    > appropriate permissions and then somehow get my Web Service to run
    > using that user account. I did try this using 'impersonate' but then
    > it appeared i didn't have permission to tun ASP.NET stuff!
    >
    > Can anyone give me tips on how to accomplish this, or point me to a
    > resource that explains how I can accomplish this.
    >
    > Thanks for any help
    >
    > RichardF
    >


    Dominick Baier [DevelopMentor] Guest
    Reply With Quote Reply With Quote
  3. RichardF #3

    Default Re: Security issues with Win2003 and ASPNet app

    Thanks for the help, I will give that a go. (Assuming I can figure
    out how to add a App Pool!)

    Once I do this, how do I then configure permssions on the SQL server
    and Image server machines?

    RichardF


    On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]
    <dbaier@pleasepleasenospamdevelop.com> wrote:
    >Hello RichardF,
    >
    >you can configure the identity of your web service using the Application
    >Pool feature of IIS6.
    >
    >Add a new AppPool - give it an identity (local or domain) - and add the web
    >service application to the AppPool (WebApp properties)
    >
    >Add the account to IIS_WPG and give it access to \windows\microsoft.net\framework\v\temporary
    >asp.net files\ and \windows\temp
    >
    >HTH
    >
    >---------------------------------------
    >Dominick Baier - DevelopMentor
    >[url]http://www.leastprivilege.com[/url]
    >
    >> I have an ASP.NET Web Service and Web Site. It accesses a SQL
    >> database for its data and retrieves images from another server.
    >>
    >> There are 4 servers all running Win 2003 as follows...
    >>
    >> 1 - Domain Controller
    >> 2 - SQL Server
    >> 3 - IIS Server (runs Web Service and Web Site)
    >> 4 - File Server (stores all the image files)
    >> I am having lots of issues with permissions because my Web Service is
    >> running as a user under a LOCAL group IIS_WPG on the IIS Server and I
    >> don't know how to give it the necessary permissions to access the SQL
    >> Server and the Images on different machines.
    >>
    >> I think what I need to do is create a Domain Account, give it the
    >> appropriate permissions and then somehow get my Web Service to run
    >> using that user account. I did try this using 'impersonate' but then
    >> it appeared i didn't have permission to tun ASP.NET stuff!
    >>
    >> Can anyone give me tips on how to accomplish this, or point me to a
    >> resource that explains how I can accomplish this.
    >>
    >> Thanks for any help
    >>
    >> RichardF
    >>
    >
    >
    RichardF Guest
    Reply With Quote Reply With Quote
  4. Dominick Baier [DevelopMentor] #4

    Default Re: Security issues with Win2003 and ASPNet app

    Hello RichardF,

    if you are using a domain account - just give access to sql server for this
    account / ntfs acls for your file server
    if you are using a local account - recreate that account with same name/password
    on the target machines and proceed as described (not the recommended solution
    - you have to keep all those passwords in sync a.s.o.)

    ---------------------------------------
    Dominick Baier - DevelopMentor
    [url]http://www.leastprivilege.com[/url]
    > Thanks for the help, I will give that a go. (Assuming I can figure
    > out how to add a App Pool!)
    >
    > Once I do this, how do I then configure permssions on the SQL server
    > and Image server machines?
    >
    > RichardF
    >
    > On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]
    > <dbaier@pleasepleasenospamdevelop.com> wrote:
    >
    >> Hello RichardF,
    >>
    >> you can configure the identity of your web service using the
    >> Application Pool feature of IIS6.
    >>
    >> Add a new AppPool - give it an identity (local or domain) - and add
    >> the web service application to the AppPool (WebApp properties)
    >>
    >> Add the account to IIS_WPG and give it access to
    >> \windows\microsoft.net\framework\v\temporary asp.net files\ and
    >> \windows\temp
    >>
    >> HTH
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> [url]http://www.leastprivilege.com[/url]
    >>> I have an ASP.NET Web Service and Web Site. It accesses a SQL
    >>> database for its data and retrieves images from another server.
    >>>
    >>> There are 4 servers all running Win 2003 as follows...
    >>>
    >>> 1 - Domain Controller
    >>> 2 - SQL Server
    >>> 3 - IIS Server (runs Web Service and Web Site)
    >>> 4 - File Server (stores all the image files)
    >>> I am having lots of issues with permissions because my Web Service
    >>> is
    >>> running as a user under a LOCAL group IIS_WPG on the IIS Server and
    >>> I
    >>> don't know how to give it the necessary permissions to access the
    >>> SQL
    >>> Server and the Images on different machines.
    >>> I think what I need to do is create a Domain Account, give it the
    >>> appropriate permissions and then somehow get my Web Service to run
    >>> using that user account. I did try this using 'impersonate' but
    >>> then it appeared i didn't have permission to tun ASP.NET stuff!
    >>>
    >>> Can anyone give me tips on how to accomplish this, or point me to a
    >>> resource that explains how I can accomplish this.
    >>>
    >>> Thanks for any help
    >>>
    >>> RichardF
    >>>


    Dominick Baier [DevelopMentor] Guest
    Reply With Quote Reply With Quote
  5. RichardF #5

    Default Re: Security issues with Win2003 and ASPNet app

    After installing my web service and web site, they had already been
    added to a default App Pool.

    I right clicked the app pool, went to the identity tab and changed it
    to use the domain user account I have created.

    Then I added that domain user account to the IIS_WPG group.

    When I try to access the web site/service from IE on another machine I
    see my initial logon page but after entering a username/password IE
    displays a Service Unavailable message.

    Before I made the changes above, I would get an error indicating that
    SQL had denied me access.

    Did I miss something?

    RichardF


    On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]
    <dbaier@pleasepleasenospamdevelop.com> wrote:
    >Hello RichardF,
    >
    >you can configure the identity of your web service using the Application
    >Pool feature of IIS6.
    >
    >Add a new AppPool - give it an identity (local or domain) - and add the web
    >service application to the AppPool (WebApp properties)
    >
    >Add the account to IIS_WPG and give it access to \windows\microsoft.net\framework\v\temporary
    >asp.net files\ and \windows\temp
    >
    >HTH
    >
    >---------------------------------------
    >Dominick Baier - DevelopMentor
    >[url]http://www.leastprivilege.com[/url]
    >
    >> I have an ASP.NET Web Service and Web Site. It accesses a SQL
    >> database for its data and retrieves images from another server.
    >>
    >> There are 4 servers all running Win 2003 as follows...
    >>
    >> 1 - Domain Controller
    >> 2 - SQL Server
    >> 3 - IIS Server (runs Web Service and Web Site)
    >> 4 - File Server (stores all the image files)
    >> I am having lots of issues with permissions because my Web Service is
    >> running as a user under a LOCAL group IIS_WPG on the IIS Server and I
    >> don't know how to give it the necessary permissions to access the SQL
    >> Server and the Images on different machines.
    >>
    >> I think what I need to do is create a Domain Account, give it the
    >> appropriate permissions and then somehow get my Web Service to run
    >> using that user account. I did try this using 'impersonate' but then
    >> it appeared i didn't have permission to tun ASP.NET stuff!
    >>
    >> Can anyone give me tips on how to accomplish this, or point me to a
    >> resource that explains how I can accomplish this.
    >>
    >> Thanks for any help
    >>
    >> RichardF
    >>
    >
    >
    RichardF Guest
    Reply With Quote Reply With Quote
  6. RichardF #6

    Default Re: Security issues with Win2003 and ASPNet app

    Actually it appears I now get Service Unavailable whenever I try to
    access IIS on that machine, even the default root website.



    On Thu, 28 Apr 2005 14:10:53 -0500, RichardF <noone@nowhere.com>
    wrote:
    >After installing my web service and web site, they had already been
    >added to a default App Pool.
    >
    >I right clicked the app pool, went to the identity tab and changed it
    >to use the domain user account I have created.
    >
    >Then I added that domain user account to the IIS_WPG group.
    >
    >When I try to access the web site/service from IE on another machine I
    >see my initial logon page but after entering a username/password IE
    >displays a Service Unavailable message.
    >
    >Before I made the changes above, I would get an error indicating that
    >SQL had denied me access.
    >
    >Did I miss something?
    >
    >RichardF
    >
    >
    >On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]
    ><dbaier@pleasepleasenospamdevelop.com> wrote:
    >
    >>Hello RichardF,
    >>
    >>you can configure the identity of your web service using the Application
    >>Pool feature of IIS6.
    >>
    >>Add a new AppPool - give it an identity (local or domain) - and add the web
    >>service application to the AppPool (WebApp properties)
    >>
    >>Add the account to IIS_WPG and give it access to \windows\microsoft.net\framework\v\temporary
    >>asp.net files\ and \windows\temp
    >>
    >>HTH
    >>
    >>---------------------------------------
    >>Dominick Baier - DevelopMentor
    >>[url]http://www.leastprivilege.com[/url]
    >>
    >>> I have an ASP.NET Web Service and Web Site. It accesses a SQL
    >>> database for its data and retrieves images from another server.
    >>>
    >>> There are 4 servers all running Win 2003 as follows...
    >>>
    >>> 1 - Domain Controller
    >>> 2 - SQL Server
    >>> 3 - IIS Server (runs Web Service and Web Site)
    >>> 4 - File Server (stores all the image files)
    >>> I am having lots of issues with permissions because my Web Service is
    >>> running as a user under a LOCAL group IIS_WPG on the IIS Server and I
    >>> don't know how to give it the necessary permissions to access the SQL
    >>> Server and the Images on different machines.
    >>>
    >>> I think what I need to do is create a Domain Account, give it the
    >>> appropriate permissions and then somehow get my Web Service to run
    >>> using that user account. I did try this using 'impersonate' but then
    >>> it appeared i didn't have permission to tun ASP.NET stuff!
    >>>
    >>> Can anyone give me tips on how to accomplish this, or point me to a
    >>> resource that explains how I can accomplish this.
    >>>
    >>> Thanks for any help
    >>>
    >>> RichardF
    >>>
    >>
    >>
    RichardF Guest
    Reply With Quote Reply With Quote
  7. Dominick Baier [DevelopMentor] #7

    Default Re: Security issues with Win2003 and ASPNet app

    Hello RichardF,

    check the event log! that's most of the time a password typo.

    but the system log will give you more info.

    otherwise change the default apppool back to network service - and try adding
    a new migrating gradually your web apps to this new pool.

    HTH

    ---------------------------------------
    Dominick Baier - DevelopMentor
    [url]http://www.leastprivilege.com[/url]
    > Actually it appears I now get Service Unavailable whenever I try to
    > access IIS on that machine, even the default root website.
    >
    > On Thu, 28 Apr 2005 14:10:53 -0500, RichardF <noone@nowhere.com>
    > wrote:
    >
    >> After installing my web service and web site, they had already been
    >> added to a default App Pool.
    >>
    >> I right clicked the app pool, went to the identity tab and changed it
    >> to use the domain user account I have created.
    >>
    >> Then I added that domain user account to the IIS_WPG group.
    >>
    >> When I try to access the web site/service from IE on another machine
    >> I see my initial logon page but after entering a username/password IE
    >> displays a Service Unavailable message.
    >>
    >> Before I made the changes above, I would get an error indicating that
    >> SQL had denied me access.
    >>
    >> Did I miss something?
    >>
    >> RichardF
    >>
    >> On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]
    >> <dbaier@pleasepleasenospamdevelop.com> wrote:
    >>
    >>> Hello RichardF,
    >>>
    >>> you can configure the identity of your web service using the
    >>> Application Pool feature of IIS6.
    >>>
    >>> Add a new AppPool - give it an identity (local or domain) - and add
    >>> the web service application to the AppPool (WebApp properties)
    >>>
    >>> Add the account to IIS_WPG and give it access to
    >>> \windows\microsoft.net\framework\v\temporary asp.net files\ and
    >>> \windows\temp
    >>>
    >>> HTH
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> [url]http://www.leastprivilege.com[/url]
    >>>> I have an ASP.NET Web Service and Web Site. It accesses a SQL
    >>>> database for its data and retrieves images from another server.
    >>>>
    >>>> There are 4 servers all running Win 2003 as follows...
    >>>>
    >>>> 1 - Domain Controller
    >>>> 2 - SQL Server
    >>>> 3 - IIS Server (runs Web Service and Web Site)
    >>>> 4 - File Server (stores all the image files)
    >>>> I am having lots of issues with permissions because my Web Service
    >>>> is
    >>>> running as a user under a LOCAL group IIS_WPG on the IIS Server and
    >>>> I
    >>>> don't know how to give it the necessary permissions to access the
    >>>> SQL
    >>>> Server and the Images on different machines.
    >>>> I think what I need to do is create a Domain Account, give it the
    >>>> appropriate permissions and then somehow get my Web Service to run
    >>>> using that user account. I did try this using 'impersonate' but
    >>>> then it appeared i didn't have permission to tun ASP.NET stuff!
    >>>>
    >>>> Can anyone give me tips on how to accomplish this, or point me to a
    >>>> resource that explains how I can accomplish this.
    >>>>
    >>>> Thanks for any help
    >>>>
    >>>> RichardF
    >>>>


    Dominick Baier [DevelopMentor] Guest
    Reply With Quote Reply With Quote
  8. RichardF #8

    Default Re: Security issues with Win2003 and ASPNet app

    The event log says that the identity of my app pool is invalid.

    I created a domain account on the domain server.

    On the SQL Server I gave that account the appropriate permissions.

    On the IIS Server I set the identity of the app pool to use that
    account.

    What did I do wrong this time!!!

    RichardF

    (P.S. Thanks for the help so far - I am learning more that I thought I
    wanted to!)


    On Thu, 28 Apr 2005 12:23:14 -0700, Dominick Baier [DevelopMentor]
    <dbaier@pleasepleasenospamdevelop.com> wrote:
    >Hello RichardF,
    >
    >check the event log! that's most of the time a password typo.
    >
    >but the system log will give you more info.
    >
    >otherwise change the default apppool back to network service - and try adding
    >a new migrating gradually your web apps to this new pool.
    >
    >HTH
    >
    >---------------------------------------
    >Dominick Baier - DevelopMentor
    >[url]http://www.leastprivilege.com[/url]
    >
    >> Actually it appears I now get Service Unavailable whenever I try to
    >> access IIS on that machine, even the default root website.
    >>
    >> On Thu, 28 Apr 2005 14:10:53 -0500, RichardF <noone@nowhere.com>
    >> wrote:
    >>
    >>> After installing my web service and web site, they had already been
    >>> added to a default App Pool.
    >>>
    >>> I right clicked the app pool, went to the identity tab and changed it
    >>> to use the domain user account I have created.
    >>>
    >>> Then I added that domain user account to the IIS_WPG group.
    >>>
    >>> When I try to access the web site/service from IE on another machine
    >>> I see my initial logon page but after entering a username/password IE
    >>> displays a Service Unavailable message.
    >>>
    >>> Before I made the changes above, I would get an error indicating that
    >>> SQL had denied me access.
    >>>
    >>> Did I miss something?
    >>>
    >>> RichardF
    >>>
    >>> On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]
    >>> <dbaier@pleasepleasenospamdevelop.com> wrote:
    >>>
    >>>> Hello RichardF,
    >>>>
    >>>> you can configure the identity of your web service using the
    >>>> Application Pool feature of IIS6.
    >>>>
    >>>> Add a new AppPool - give it an identity (local or domain) - and add
    >>>> the web service application to the AppPool (WebApp properties)
    >>>>
    >>>> Add the account to IIS_WPG and give it access to
    >>>> \windows\microsoft.net\framework\v\temporary asp.net files\ and
    >>>> \windows\temp
    >>>>
    >>>> HTH
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> [url]http://www.leastprivilege.com[/url]
    >>>>> I have an ASP.NET Web Service and Web Site. It accesses a SQL
    >>>>> database for its data and retrieves images from another server.
    >>>>>
    >>>>> There are 4 servers all running Win 2003 as follows...
    >>>>>
    >>>>> 1 - Domain Controller
    >>>>> 2 - SQL Server
    >>>>> 3 - IIS Server (runs Web Service and Web Site)
    >>>>> 4 - File Server (stores all the image files)
    >>>>> I am having lots of issues with permissions because my Web Service
    >>>>> is
    >>>>> running as a user under a LOCAL group IIS_WPG on the IIS Server and
    >>>>> I
    >>>>> don't know how to give it the necessary permissions to access the
    >>>>> SQL
    >>>>> Server and the Images on different machines.
    >>>>> I think what I need to do is create a Domain Account, give it the
    >>>>> appropriate permissions and then somehow get my Web Service to run
    >>>>> using that user account. I did try this using 'impersonate' but
    >>>>> then it appeared i didn't have permission to tun ASP.NET stuff!
    >>>>>
    >>>>> Can anyone give me tips on how to accomplish this, or point me to a
    >>>>> resource that explains how I can accomplish this.
    >>>>>
    >>>>> Thanks for any help
    >>>>>
    >>>>> RichardF
    >>>>>
    >
    >
    RichardF Guest
    Reply With Quote Reply With Quote
  9. Joe Kaplan \(MVP - ADSI\) #9

    Default Re: Security issues with Win2003 and ASPNet app

    Did you try logging in to the server with that domain account to be sure
    that you have the credentials right and it can log on locally?

    Joe K.

    "RichardF" <noone@nowhere.com> wrote in message
    news:73g271h1f1l3or2cvpofouc8odl04joh11@4ax.com...
    > The event log says that the identity of my app pool is invalid.
    >
    > I created a domain account on the domain server.
    >
    > On the SQL Server I gave that account the appropriate permissions.
    >
    > On the IIS Server I set the identity of the app pool to use that
    > account.
    >
    > What did I do wrong this time!!!
    >
    > RichardF
    >
    > (P.S. Thanks for the help so far - I am learning more that I thought I
    > wanted to!)
    >
    >
    > On Thu, 28 Apr 2005 12:23:14 -0700, Dominick Baier [DevelopMentor]
    > <dbaier@pleasepleasenospamdevelop.com> wrote:
    >
    >>Hello RichardF,
    >>
    >>check the event log! that's most of the time a password typo.
    >>
    >>but the system log will give you more info.
    >>
    >>otherwise change the default apppool back to network service - and try
    >>adding
    >>a new migrating gradually your web apps to this new pool.
    >>
    >>HTH
    >>
    >>---------------------------------------
    >>Dominick Baier - DevelopMentor
    >>[url]http://www.leastprivilege.com[/url]
    >>
    >>> Actually it appears I now get Service Unavailable whenever I try to
    >>> access IIS on that machine, even the default root website.
    >>>
    >>> On Thu, 28 Apr 2005 14:10:53 -0500, RichardF <noone@nowhere.com>
    >>> wrote:
    >>>
    >>>> After installing my web service and web site, they had already been
    >>>> added to a default App Pool.
    >>>>
    >>>> I right clicked the app pool, went to the identity tab and changed it
    >>>> to use the domain user account I have created.
    >>>>
    >>>> Then I added that domain user account to the IIS_WPG group.
    >>>>
    >>>> When I try to access the web site/service from IE on another machine
    >>>> I see my initial logon page but after entering a username/password IE
    >>>> displays a Service Unavailable message.
    >>>>
    >>>> Before I made the changes above, I would get an error indicating that
    >>>> SQL had denied me access.
    >>>>
    >>>> Did I miss something?
    >>>>
    >>>> RichardF
    >>>>
    >>>> On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]
    >>>> <dbaier@pleasepleasenospamdevelop.com> wrote:
    >>>>
    >>>>> Hello RichardF,
    >>>>>
    >>>>> you can configure the identity of your web service using the
    >>>>> Application Pool feature of IIS6.
    >>>>>
    >>>>> Add a new AppPool - give it an identity (local or domain) - and add
    >>>>> the web service application to the AppPool (WebApp properties)
    >>>>>
    >>>>> Add the account to IIS_WPG and give it access to
    >>>>> \windows\microsoft.net\framework\v\temporary asp.net files\ and
    >>>>> \windows\temp
    >>>>>
    >>>>> HTH
    >>>>>
    >>>>> ---------------------------------------
    >>>>> Dominick Baier - DevelopMentor
    >>>>> [url]http://www.leastprivilege.com[/url]
    >>>>>> I have an ASP.NET Web Service and Web Site. It accesses a SQL
    >>>>>> database for its data and retrieves images from another server.
    >>>>>>
    >>>>>> There are 4 servers all running Win 2003 as follows...
    >>>>>>
    >>>>>> 1 - Domain Controller
    >>>>>> 2 - SQL Server
    >>>>>> 3 - IIS Server (runs Web Service and Web Site)
    >>>>>> 4 - File Server (stores all the image files)
    >>>>>> I am having lots of issues with permissions because my Web Service
    >>>>>> is
    >>>>>> running as a user under a LOCAL group IIS_WPG on the IIS Server and
    >>>>>> I
    >>>>>> don't know how to give it the necessary permissions to access the
    >>>>>> SQL
    >>>>>> Server and the Images on different machines.
    >>>>>> I think what I need to do is create a Domain Account, give it the
    >>>>>> appropriate permissions and then somehow get my Web Service to run
    >>>>>> using that user account. I did try this using 'impersonate' but
    >>>>>> then it appeared i didn't have permission to tun ASP.NET stuff!
    >>>>>>
    >>>>>> Can anyone give me tips on how to accomplish this, or point me to a
    >>>>>> resource that explains how I can accomplish this.
    >>>>>>
    >>>>>> Thanks for any help
    >>>>>>
    >>>>>> RichardF
    >>>>>>
    >>
    >>
    >

    Joe Kaplan \(MVP - ADSI\) Guest
    Reply With Quote Reply With Quote
  10. Dominick Baier [DevelopMentor] #10

    Default Re: Security issues with Win2003 and ASPNet app

    Hello Joe,

    and have you cleared "has to change password on first login" ??

    ---------------------------------------
    Dominick Baier - DevelopMentor
    [url]http://www.leastprivilege.com[/url]
    > Did you try logging in to the server with that domain account to be
    > sure that you have the credentials right and it can log on locally?
    >
    > Joe K.
    >
    > "RichardF" <noone@nowhere.com> wrote in message
    > news:73g271h1f1l3or2cvpofouc8odl04joh11@4ax.com...
    >
    >> The event log says that the identity of my app pool is invalid.
    >>
    >> I created a domain account on the domain server.
    >>
    >> On the SQL Server I gave that account the appropriate permissions.
    >>
    >> On the IIS Server I set the identity of the app pool to use that
    >> account.
    >>
    >> What did I do wrong this time!!!
    >>
    >> RichardF
    >>
    >> (P.S. Thanks for the help so far - I am learning more that I thought
    >> I wanted to!)
    >>
    >> On Thu, 28 Apr 2005 12:23:14 -0700, Dominick Baier [DevelopMentor]
    >> <dbaier@pleasepleasenospamdevelop.com> wrote:
    >>
    >>> Hello RichardF,
    >>>
    >>> check the event log! that's most of the time a password typo.
    >>>
    >>> but the system log will give you more info.
    >>>
    >>> otherwise change the default apppool back to network service - and
    >>> try
    >>> adding
    >>> a new migrating gradually your web apps to this new pool.
    >>> HTH
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> [url]http://www.leastprivilege.com[/url]
    >>>> Actually it appears I now get Service Unavailable whenever I try to
    >>>> access IIS on that machine, even the default root website.
    >>>>
    >>>> On Thu, 28 Apr 2005 14:10:53 -0500, RichardF <noone@nowhere.com>
    >>>> wrote:
    >>>>
    >>>>> After installing my web service and web site, they had already
    >>>>> been added to a default App Pool.
    >>>>>
    >>>>> I right clicked the app pool, went to the identity tab and changed
    >>>>> it to use the domain user account I have created.
    >>>>>
    >>>>> Then I added that domain user account to the IIS_WPG group.
    >>>>>
    >>>>> When I try to access the web site/service from IE on another
    >>>>> machine I see my initial logon page but after entering a
    >>>>> username/password IE displays a Service Unavailable message.
    >>>>>
    >>>>> Before I made the changes above, I would get an error indicating
    >>>>> that SQL had denied me access.
    >>>>>
    >>>>> Did I miss something?
    >>>>>
    >>>>> RichardF
    >>>>>
    >>>>> On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]
    >>>>> <dbaier@pleasepleasenospamdevelop.com> wrote:
    >>>>>
    >>>>>> Hello RichardF,
    >>>>>>
    >>>>>> you can configure the identity of your web service using the
    >>>>>> Application Pool feature of IIS6.
    >>>>>>
    >>>>>> Add a new AppPool - give it an identity (local or domain) - and
    >>>>>> add the web service application to the AppPool (WebApp
    >>>>>> properties)
    >>>>>>
    >>>>>> Add the account to IIS_WPG and give it access to
    >>>>>> \windows\microsoft.net\framework\v\temporary asp.net files\ and
    >>>>>> \windows\temp
    >>>>>>
    >>>>>> HTH
    >>>>>>
    >>>>>> ---------------------------------------
    >>>>>> Dominick Baier - DevelopMentor
    >>>>>> [url]http://www.leastprivilege.com[/url]
    >>>>>>> I have an ASP.NET Web Service and Web Site. It accesses a SQL
    >>>>>>> database for its data and retrieves images from another server.
    >>>>>>>
    >>>>>>> There are 4 servers all running Win 2003 as follows...
    >>>>>>>
    >>>>>>> 1 - Domain Controller
    >>>>>>> 2 - SQL Server
    >>>>>>> 3 - IIS Server (runs Web Service and Web Site)
    >>>>>>> 4 - File Server (stores all the image files)
    >>>>>>> I am having lots of issues with permissions because my Web
    >>>>>>> Service
    >>>>>>> is
    >>>>>>> running as a user under a LOCAL group IIS_WPG on the IIS Server
    >>>>>>> and
    >>>>>>> I
    >>>>>>> don't know how to give it the necessary permissions to access
    >>>>>>> the
    >>>>>>> SQL
    >>>>>>> Server and the Images on different machines.
    >>>>>>> I think what I need to do is create a Domain Account, give it
    >>>>>>> the
    >>>>>>> appropriate permissions and then somehow get my Web Service to
    >>>>>>> run
    >>>>>>> using that user account. I did try this using 'impersonate' but
    >>>>>>> then it appeared i didn't have permission to tun ASP.NET stuff!
    >>>>>>> Can anyone give me tips on how to accomplish this, or point me
    >>>>>>> to a resource that explains how I can accomplish this.
    >>>>>>>
    >>>>>>> Thanks for any help
    >>>>>>>
    >>>>>>> RichardF
    >>>>>>>


    Dominick Baier [DevelopMentor] Guest
    Reply With Quote Reply With Quote
  11. RichardF #11

    Default Re: Security issues with Win2003 and ASPNet app

    Logging in works OK, the user and password are OK, but I think I
    messed up the password before.

    I made sure it is OK now.

    So, my web service and web site are in their own app group. It's
    identity is set to the domain user.

    Now, when I try to access the web site from the IIS machine (where it
    is hosted) I get a message saying "File or assembly name XXX.dll, or
    one of its dependencies, was not found"

    Each time i refresh the page the name XXX.dll changes.

    Help!

    RichardF


    On Thu, 28 Apr 2005 23:00:43 -0700, Dominick Baier [DevelopMentor]
    <dbaier@pleasepleasenospamdevelop.com> wrote:
    >Hello Joe,
    >
    >and have you cleared "has to change password on first login" ??
    >
    >---------------------------------------
    >Dominick Baier - DevelopMentor
    >[url]http://www.leastprivilege.com[/url]
    >
    >> Did you try logging in to the server with that domain account to be
    >> sure that you have the credentials right and it can log on locally?
    >>
    >> Joe K.
    >>
    >> "RichardF" <noone@nowhere.com> wrote in message
    >> news:73g271h1f1l3or2cvpofouc8odl04joh11@4ax.com...
    >>
    >>> The event log says that the identity of my app pool is invalid.
    >>>
    >>> I created a domain account on the domain server.
    >>>
    >>> On the SQL Server I gave that account the appropriate permissions.
    >>>
    >>> On the IIS Server I set the identity of the app pool to use that
    >>> account.
    >>>
    >>> What did I do wrong this time!!!
    >>>
    >>> RichardF
    >>>
    >>> (P.S. Thanks for the help so far - I am learning more that I thought
    >>> I wanted to!)
    >>>
    >>> On Thu, 28 Apr 2005 12:23:14 -0700, Dominick Baier [DevelopMentor]
    >>> <dbaier@pleasepleasenospamdevelop.com> wrote:
    >>>
    >>>> Hello RichardF,
    >>>>
    >>>> check the event log! that's most of the time a password typo.
    >>>>
    >>>> but the system log will give you more info.
    >>>>
    >>>> otherwise change the default apppool back to network service - and
    >>>> try
    >>>> adding
    >>>> a new migrating gradually your web apps to this new pool.
    >>>> HTH
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> [url]http://www.leastprivilege.com[/url]
    >>>>> Actually it appears I now get Service Unavailable whenever I try to
    >>>>> access IIS on that machine, even the default root website.
    >>>>>
    >>>>> On Thu, 28 Apr 2005 14:10:53 -0500, RichardF <noone@nowhere.com>
    >>>>> wrote:
    >>>>>
    >>>>>> After installing my web service and web site, they had already
    >>>>>> been added to a default App Pool.
    >>>>>>
    >>>>>> I right clicked the app pool, went to the identity tab and changed
    >>>>>> it to use the domain user account I have created.
    >>>>>>
    >>>>>> Then I added that domain user account to the IIS_WPG group.
    >>>>>>
    >>>>>> When I try to access the web site/service from IE on another
    >>>>>> machine I see my initial logon page but after entering a
    >>>>>> username/password IE displays a Service Unavailable message.
    >>>>>>
    >>>>>> Before I made the changes above, I would get an error indicating
    >>>>>> that SQL had denied me access.
    >>>>>>
    >>>>>> Did I miss something?
    >>>>>>
    >>>>>> RichardF
    >>>>>>
    >>>>>> On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier [DevelopMentor]
    >>>>>> <dbaier@pleasepleasenospamdevelop.com> wrote:
    >>>>>>
    >>>>>>> Hello RichardF,
    >>>>>>>
    >>>>>>> you can configure the identity of your web service using the
    >>>>>>> Application Pool feature of IIS6.
    >>>>>>>
    >>>>>>> Add a new AppPool - give it an identity (local or domain) - and
    >>>>>>> add the web service application to the AppPool (WebApp
    >>>>>>> properties)
    >>>>>>>
    >>>>>>> Add the account to IIS_WPG and give it access to
    >>>>>>> \windows\microsoft.net\framework\v\temporary asp.net files\ and
    >>>>>>> \windows\temp
    >>>>>>>
    >>>>>>> HTH
    >>>>>>>
    >>>>>>> ---------------------------------------
    >>>>>>> Dominick Baier - DevelopMentor
    >>>>>>> [url]http://www.leastprivilege.com[/url]
    >>>>>>>> I have an ASP.NET Web Service and Web Site. It accesses a SQL
    >>>>>>>> database for its data and retrieves images from another server.
    >>>>>>>>
    >>>>>>>> There are 4 servers all running Win 2003 as follows...
    >>>>>>>>
    >>>>>>>> 1 - Domain Controller
    >>>>>>>> 2 - SQL Server
    >>>>>>>> 3 - IIS Server (runs Web Service and Web Site)
    >>>>>>>> 4 - File Server (stores all the image files)
    >>>>>>>> I am having lots of issues with permissions because my Web
    >>>>>>>> Service
    >>>>>>>> is
    >>>>>>>> running as a user under a LOCAL group IIS_WPG on the IIS Server
    >>>>>>>> and
    >>>>>>>> I
    >>>>>>>> don't know how to give it the necessary permissions to access
    >>>>>>>> the
    >>>>>>>> SQL
    >>>>>>>> Server and the Images on different machines.
    >>>>>>>> I think what I need to do is create a Domain Account, give it
    >>>>>>>> the
    >>>>>>>> appropriate permissions and then somehow get my Web Service to
    >>>>>>>> run
    >>>>>>>> using that user account. I did try this using 'impersonate' but
    >>>>>>>> then it appeared i didn't have permission to tun ASP.NET stuff!
    >>>>>>>> Can anyone give me tips on how to accomplish this, or point me
    >>>>>>>> to a resource that explains how I can accomplish this.
    >>>>>>>>
    >>>>>>>> Thanks for any help
    >>>>>>>>
    >>>>>>>> RichardF
    >>>>>>>>
    >
    >
    RichardF Guest
    Reply With Quote Reply With Quote
  12. Dominick Baier [DevelopMentor] #12

    Default Re: Security issues with Win2003 and ASPNet app

    Hello RichardF,

    make sure the account your worker process runs under hat full control to

    \windows\micrsosoft.net\framework\v1.x\tempory asp.net files
    \windows\temp

    the account is in the IIS_WPG group?

    ---------------------------------------
    Dominick Baier - DevelopMentor
    [url]http://www.leastprivilege.com[/url]
    > Logging in works OK, the user and password are OK, but I think I
    > messed up the password before.
    >
    > I made sure it is OK now.
    >
    > So, my web service and web site are in their own app group. It's
    > identity is set to the domain user.
    >
    > Now, when I try to access the web site from the IIS machine (where it
    > is hosted) I get a message saying "File or assembly name XXX.dll, or
    > one of its dependencies, was not found"
    >
    > Each time i refresh the page the name XXX.dll changes.
    >
    > Help!
    >
    > RichardF
    >
    > On Thu, 28 Apr 2005 23:00:43 -0700, Dominick Baier [DevelopMentor]
    > <dbaier@pleasepleasenospamdevelop.com> wrote:
    >
    >> Hello Joe,
    >>
    >> and have you cleared "has to change password on first login" ??
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> [url]http://www.leastprivilege.com[/url]
    >>> Did you try logging in to the server with that domain account to be
    >>> sure that you have the credentials right and it can log on locally?
    >>>
    >>> Joe K.
    >>>
    >>> "RichardF" <noone@nowhere.com> wrote in message
    >>> news:73g271h1f1l3or2cvpofouc8odl04joh11@4ax.com...
    >>>> The event log says that the identity of my app pool is invalid.
    >>>>
    >>>> I created a domain account on the domain server.
    >>>>
    >>>> On the SQL Server I gave that account the appropriate permissions.
    >>>>
    >>>> On the IIS Server I set the identity of the app pool to use that
    >>>> account.
    >>>>
    >>>> What did I do wrong this time!!!
    >>>>
    >>>> RichardF
    >>>>
    >>>> (P.S. Thanks for the help so far - I am learning more that I
    >>>> thought I wanted to!)
    >>>>
    >>>> On Thu, 28 Apr 2005 12:23:14 -0700, Dominick Baier [DevelopMentor]
    >>>> <dbaier@pleasepleasenospamdevelop.com> wrote:
    >>>>
    >>>>> Hello RichardF,
    >>>>>
    >>>>> check the event log! that's most of the time a password typo.
    >>>>>
    >>>>> but the system log will give you more info.
    >>>>>
    >>>>> otherwise change the default apppool back to network service - and
    >>>>> try
    >>>>> adding
    >>>>> a new migrating gradually your web apps to this new pool.
    >>>>> HTH
    >>>>> ---------------------------------------
    >>>>> Dominick Baier - DevelopMentor
    >>>>> [url]http://www.leastprivilege.com[/url]
    >>>>>> Actually it appears I now get Service Unavailable whenever I try
    >>>>>> to access IIS on that machine, even the default root website.
    >>>>>>
    >>>>>> On Thu, 28 Apr 2005 14:10:53 -0500, RichardF <noone@nowhere.com>
    >>>>>> wrote:
    >>>>>>
    >>>>>>> After installing my web service and web site, they had already
    >>>>>>> been added to a default App Pool.
    >>>>>>>
    >>>>>>> I right clicked the app pool, went to the identity tab and
    >>>>>>> changed it to use the domain user account I have created.
    >>>>>>>
    >>>>>>> Then I added that domain user account to the IIS_WPG group.
    >>>>>>>
    >>>>>>> When I try to access the web site/service from IE on another
    >>>>>>> machine I see my initial logon page but after entering a
    >>>>>>> username/password IE displays a Service Unavailable message.
    >>>>>>>
    >>>>>>> Before I made the changes above, I would get an error indicating
    >>>>>>> that SQL had denied me access.
    >>>>>>>
    >>>>>>> Did I miss something?
    >>>>>>>
    >>>>>>> RichardF
    >>>>>>>
    >>>>>>> On Thu, 28 Apr 2005 08:26:20 -0700, Dominick Baier
    >>>>>>> [DevelopMentor] <dbaier@pleasepleasenospamdevelop.com> wrote:
    >>>>>>>
    >>>>>>>> Hello RichardF,
    >>>>>>>>
    >>>>>>>> you can configure the identity of your web service using the
    >>>>>>>> Application Pool feature of IIS6.
    >>>>>>>>
    >>>>>>>> Add a new AppPool - give it an identity (local or domain) - and
    >>>>>>>> add the web service application to the AppPool (WebApp
    >>>>>>>> properties)
    >>>>>>>>
    >>>>>>>> Add the account to IIS_WPG and give it access to
    >>>>>>>> \windows\microsoft.net\framework\v\temporary asp.net files\ and
    >>>>>>>> \windows\temp
    >>>>>>>>
    >>>>>>>> HTH
    >>>>>>>>
    >>>>>>>> ---------------------------------------
    >>>>>>>> Dominick Baier - DevelopMentor
    >>>>>>>> [url]http://www.leastprivilege.com[/url]
    >>>>>>>>> I have an ASP.NET Web Service and Web Site. It accesses a
    >>>>>>>>> SQL database for its data and retrieves images from another
    >>>>>>>>> server.
    >>>>>>>>>
    >>>>>>>>> There are 4 servers all running Win 2003 as follows...
    >>>>>>>>>
    >>>>>>>>> 1 - Domain Controller
    >>>>>>>>> 2 - SQL Server
    >>>>>>>>> 3 - IIS Server (runs Web Service and Web Site)
    >>>>>>>>> 4 - File Server (stores all the image files)
    >>>>>>>>> I am having lots of issues with permissions because my Web
    >>>>>>>>> Service
    >>>>>>>>> is
    >>>>>>>>> running as a user under a LOCAL group IIS_WPG on the IIS
    >>>>>>>>> Server
    >>>>>>>>> and
    >>>>>>>>> I
    >>>>>>>>> don't know how to give it the necessary permissions to access
    >>>>>>>>> the
    >>>>>>>>> SQL
    >>>>>>>>> Server and the Images on different machines.
    >>>>>>>>> I think what I need to do is create a Domain Account, give it
    >>>>>>>>> the
    >>>>>>>>> appropriate permissions and then somehow get my Web Service to
    >>>>>>>>> run
    >>>>>>>>> using that user account. I did try this using 'impersonate'
    >>>>>>>>> but
    >>>>>>>>> then it appeared i didn't have permission to tun ASP.NET
    >>>>>>>>> stuff!
    >>>>>>>>> Can anyone give me tips on how to accomplish this, or point me
    >>>>>>>>> to a resource that explains how I can accomplish this.
    >>>>>>>>> Thanks for any help
    >>>>>>>>>
    >>>>>>>>> RichardF
    >>>>>>>>>


    Dominick Baier [DevelopMentor] Guest
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139