« Previous Next »

Thread: Set Application Pool Identity

Last post 09-03-2009 8:13 AM by Jeff B.. 5 replies.

Average Rating Rate It (5)

RSS

Page 1 of 1 (6 items)

Sort Posts:

Shortcuts

Search | Active Posts | Unanswered Posts | View all users

  • 09-01-2009, 11:11 AM

    • Jeff B.
    • Not Ranked
    • Joined on 05-26-2005, 9:32 PM
    • Posts 4

    Set Application Pool Identity

    Reply Contact

    Is there an MSDeploy Provider that can set the Identity for an Application Pool?   For example, in one environment, a web site runs under one identity.  When we promote it to another environment, we want that Application Pool to run under another identity.

     Is this possible with MSDeploy?
    Tags:

  • 09-01-2009, 12:21 PM In reply to

    Re: Set Application Pool Identity

    Reply Contact

    So here is the command to simply copy/sync one AppPool from one machine to another. 

    msdeploy -verb:sync -source:appPoolConfig=MyMagicPool, -dest:appPoolConfig=MyMagicPool,computername=destinationMachineName

    This will make an exact copy.  Now, to change the identity on the destination side, you have to add the following replace rules to the command line above.

    -replace:objectName=processModel,targetAttributeName=userName,replace=NewUserName

    -replace:objectName=processModel,targetAttributeName=password,replace=NewPassword

    Doing replace rules is complicated, but can usually accomplish what you seek.  As in this case. 

    Hope that helps

  • 09-01-2009, 12:32 PM In reply to

    Re: Set Application Pool Identity

    Reply Contact

    Doh, forgot to ask?  Are you talking about IIS 6 or IIS 7? 

    The rules above would work on IIS 7.  Let me know if you are doing this on IIS 6 as the command is different (since IIS 6 usings metabase style schema)

  • 09-01-2009, 2:54 PM In reply to

    • Jeff B.
    • Not Ranked
    • Joined on 05-26-2005, 9:32 PM
    • Posts 4

    Re: Set Application Pool Identity

    Reply Contact

    Thanks for the response!  I'm using IIS 7.

    One other question... does this have to be applied to the command line or can the settings be included in a paramters (or other) file?

    --- Thanks, Jeff
    Tags:

  • 09-02-2009, 2:57 PM In reply to

    • Jeff B.
    • Not Ranked
    • Joined on 05-26-2005, 9:32 PM
    • Posts 4

    Re: Set Application Pool Identity

    Reply Contact

    Hello,

     I just wanted to follow up with this and let you know that I tried this out with mixed results.  Although I can see the service account change when I refresh the app pools (after syncing with the above switches) the app pool keeps shutting down with the following events being logged:

    • The identity of application pool MyWebApp is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.

    • Application pool MyWebApp has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.

    • Application pool MyWebApp has been disabled. Windows Process Activation Service (WAS) encountered a failure when it started a worker process to serve the application pool.

    I am running the command against IIS 7 so I'm not sure why this is failing.  I did notice that in the applicationHost.config file that the encrypted password is different when I update via MSDeploy (using the above replace rules) than if I update it using the IIS MMC console.  I'm specifying the same account/password both ways, they just don't match up in the coinfig file.

    Any ideas?

      --- Thanks, Jeff

  • 09-03-2009, 8:13 AM In reply to

    • Jeff B.
    • Not Ranked
    • Joined on 05-26-2005, 9:32 PM
    • Posts 4

    Re: Set Application Pool Identity

    Reply Contact

    Ok, through further research I finally figured this one out...  As I stated in my previous post, the encrypted passwords didn't match across systems (in the applicationHost.config file).  This is because each server has a unique encryption key for IIS.  Since I was calling MSDeploy.exe on a different machine, the local encryption key was being used.

    There are two ways to resolve this problem that I know of (there may be others):

    1. Run the MSDeploy.exe command locally on the machine being updated.  This will use the correct encryption key.
    2. Synchronize the encryption keys across all IIS servers.  See this post for more details.

    In my case, I believe I'll go with option one as it is the easiest to implement (at lest in our environment).  I may make use of PsExec to run the script on the remote machine so I don't have to physically logon to the server.
    Tags:
Page 1 of 1 (6 items)
Microsoft Communities