My web application is hosted on IIS7.5. There are some .exe 's with which the web application interacts. I get an access denied error while accessing the .exe. This web application runs under an
Application Pool created in Integrated mode which uses my credentials as its
Identity (I am an administrator on the system). When I enable ASP.NET impersonation feature on the IIS for my web application, this access denied problem is eliminated. But, I feel this is a work around rather than a solution to the inherent problem.
My assumption is that when the Application Pool runs under my Identity, then why should there be a need to enable Impersonation on the same Identity again. The IIS worker processes must be already using the Application Pool's Identity anyway. I'm not well
acquainted with IIS.
This web application runs under an Application Pool created in Integrated mode which uses my credentials as its
Identity (I am an administrator on the system)
You will win the "hugest security hole" award for the year with that...
This message is provided "AS IS" with no warranties, and confers no rights!
Please 'Mark as Answer' if this post helps you.
Fabrice ZERROUKI
This web application runs under an Application Pool created in Integrated mode which uses my credentials as its
Identity (I am an administrator on the system)
You will win the "hugest security hole" award for the year with that...
I know thats not right. But, this is only on the test system. Also, I may add to my original post that I'm not well acquainted with IIS.
I'm sure of it, but the purpose of an "ante production" environnement is to test as it will be once in a production environnement. It has no purpose to compare different things.
Have a look on ASP.NET Impersonation documentation: [url=http://msdn.microsoft.com/en-us/library/xh507fc5.aspx]http://msdn.microsoft.com/en-us/library/xh507fc5.aspx[/url]
This message is provided "AS IS" with no warranties, and confers no rights!
Please 'Mark as Answer' if this post helps you.
Fabrice ZERROUKI
Thanks for that link on Impersonation. But that doesn't solve the problem. I do not want to compare Impersonation Identity and AppPool Identity. My aim is to find the right way to fix my problem and I believe this forum is the right place to get it. But
still, if you could point me to some comparisons, it would be a step in the right direction.
hich uses my credentials as its Identity (I am an administrator on the system).
When you create an appliation pool, you may need to set the application pool identity. There are two types of application pool identity Build-in account and custom account. As you description above, I guess you used the custom account and set the local administrator
account for it. To validate this you can copy these source code below to determine what identity is used.
If the the source code above retrieve the name is "yourcomputename\administrator", surely your application pool identity is the administrator account and there should be no permission problem for accessing .exe file.
You said you are an administrator on the system, but if you didn't set the custom account with administrator accoun as I guessed before, you there should be permission problem. At this case, you can enable the ASP.NET Impersonation.
Anyway, I suggest you to utilize the souce code below to determine what identity has been used, if disable the asp.net impersonation, the identity should be your application pool identity, instead, the identity should be default loged on windows account.
Thanks for the links and a good, descriptive response.
I am getting the output of GetCurrent().Name as "domain\MyUserName". Also, the same user is the logged in user and an administrator.
mamba dai - msft
Anyway, I suggest you to utilize the souce code below to determine what identity has been used, if disable the asp.net impersonation, the identity should be your application pool identity, instead, the identity should be default loged on windows account.
What should be the identity when ASP.NET Impersonation is disabled?
Okay. Thanks for that answer. Now, my website uses an AppPool created in Integrated mode which uses an Administrator account as its Identity. Then, I get following error. System.Runtime.Remoting.RemotingException: Failed to connect to an IPC Port: Access
is denied.
System.Runtime.Remoting.RemotingException: Failed to connect to an IPC Port: Access is denied.
Seem you were connecting remote server, the admin account may be your application pool identity on you web server, not remote server. You need to check whether this admin account has access permission to remote server. Or maybe you need to check whether
firewall block the connection.
Please mark the replies as answers if they help or unmark if not.
Feedback to us
kshitij.verm...
6 Posts
AppPool Identity and ASP.NET Impersonation Identity
Apr 27, 2012 12:47 PM|LINK
My web application is hosted on IIS7.5. There are some .exe 's with which the web application interacts. I get an access denied error while accessing the .exe. This web application runs under an Application Pool created in Integrated mode which uses my credentials as its Identity (I am an administrator on the system). When I enable ASP.NET impersonation feature on the IIS for my web application, this access denied problem is eliminated. But, I feel this is a work around rather than a solution to the inherent problem. My assumption is that when the Application Pool runs under my Identity, then why should there be a need to enable Impersonation on the same Identity again. The IIS worker processes must be already using the Application Pool's Identity anyway. I'm not well acquainted with IIS.
fab777
922 Posts
Re: AppPool Identity and ASP.NET Impersonation Identity
Apr 27, 2012 12:49 PM|LINK
Please 'Mark as Answer' if this post helps you.
Fabrice ZERROUKI
kshitij.verm...
6 Posts
Re: AppPool Identity and ASP.NET Impersonation Identity
Apr 27, 2012 01:01 PM|LINK
fab777
922 Posts
Re: AppPool Identity and ASP.NET Impersonation Identity
Apr 27, 2012 01:34 PM|LINK
I'm sure of it, but the purpose of an "ante production" environnement is to test as it will be once in a production environnement. It has no purpose to compare different things.
Have a look on ASP.NET Impersonation documentation: [url=http://msdn.microsoft.com/en-us/library/xh507fc5.aspx]http://msdn.microsoft.com/en-us/library/xh507fc5.aspx[/url]
Please 'Mark as Answer' if this post helps you.
Fabrice ZERROUKI
kshitij.verm...
6 Posts
Re: AppPool Identity and ASP.NET Impersonation Identity
Apr 30, 2012 01:23 PM|LINK
Thanks for that link on Impersonation. But that doesn't solve the problem. I do not want to compare Impersonation Identity and AppPool Identity. My aim is to find the right way to fix my problem and I believe this forum is the right place to get it. But still, if you could point me to some comparisons, it would be a step in the right direction.
Mamba Dai - ...
651 Posts
Microsoft
Re: AppPool Identity and ASP.NET Impersonation Identity
May 03, 2012 10:13 AM|LINK
Hi,
When you create an appliation pool, you may need to set the application pool identity. There are two types of application pool identity Build-in account and custom account. As you description above, I guess you used the custom account and set the local administrator account for it. To validate this you can copy these source code below to determine what identity is used.
System.Security.Principal.WindowsIdentity.GetCurrent().Name
If the the source code above retrieve the name is "yourcomputename\administrator", surely your application pool identity is the administrator account and there should be no permission problem for accessing .exe file.
You said you are an administrator on the system, but if you didn't set the custom account with administrator accoun as I guessed before, you there should be permission problem. At this case, you can enable the ASP.NET Impersonation.
Anyway, I suggest you to utilize the souce code below to determine what identity has been used, if disable the asp.net impersonation, the identity should be your application pool identity, instead, the identity should be default loged on windows account.
System.Security.Principal.WindowsIdentity.GetCurrent().Name
Some relative article may help you to understand further:
http://learn.iis.net/page.aspx/624/application-pool-identities/
http://learn.iis.net/page.aspx/583/secure-content-in-iis-through-file-system-acls/
http://msdn.microsoft.com/en-us/library/xh507fc5(v=vs.100).aspx
Feedback to us
Develop and promote your apps in Windows Store
kshitij.verm...
6 Posts
Re: AppPool Identity and ASP.NET Impersonation Identity
May 07, 2012 12:03 PM|LINK
Thanks for the links and a good, descriptive response.
What should be the identity when ASP.NET Impersonation is disabled?I am getting the output of GetCurrent().Name as "domain\MyUserName". Also, the same user is the logged in user and an administrator.
fab777
922 Posts
Re: AppPool Identity and ASP.NET Impersonation Identity
May 09, 2012 07:49 AM|LINK
Please 'Mark as Answer' if this post helps you.
Fabrice ZERROUKI
kshitij.verm...
6 Posts
Re: AppPool Identity and ASP.NET Impersonation Identity
May 10, 2012 01:41 PM|LINK
Okay. Thanks for that answer. Now, my website uses an AppPool created in Integrated mode which uses an Administrator account as its Identity. Then, I get following error. System.Runtime.Remoting.RemotingException: Failed to connect to an IPC Port: Access is denied.
Mamba Dai - ...
651 Posts
Microsoft
Re: AppPool Identity and ASP.NET Impersonation Identity
May 11, 2012 05:45 AM|LINK
Hi,
Seem you were connecting remote server, the admin account may be your application pool identity on you web server, not remote server. You need to check whether this admin account has access permission to remote server. Or maybe you need to check whether firewall block the connection.
Feedback to us
Develop and promote your apps in Windows Store