RELIABLE iterative search-and-update of password for service account used in IIS:\\SITESRSS

8 replies

Last post Sep 09, 2019 07:26 AM by Jalpa Panchal

  • RELIABLE iterative search-and-update of password for service account used in IIS:\\SITES

    Aug 23, 2019 08:03 AM|tmsatgmail|LINK

    Hi

    Has anybody out there found an effective and reliable solution that can refresh any instance of a service account's password and confirm successful update of ALL matching physical paths, virtual directory defaults etc.?

    Because I've been trying for days to build one that'll actually work properly, without any success.

    A behemoth of an application which I shan't name has configured a gazillion websites, app pools, virtual directories, COM+ objects, DCOM objects, Scheduled Tasks, and more to all use the same AD service account. This means that every time the service account's password is updated, every single instance of the password has to be updated manually - and it can take a DAY to do that.

    I have built an automation script that will hunt down affected scheduled tasks, COM+, DCOM and IIS:\AppPools processmodel entries, which works nicely.

    But the result from doing something similar inside IIS:\Sites is just too unreliable and inconsistent.

    For example, VirtualDirectoryDefaults.LogonMethod ALWAYS returns the correct value, even if VirtualDirectoryDefaults.UserName doesn't. I'm currently looking at four sites which resolutely tell me UserName is empty when I can see that service account is configured in the UI.

    Obviously, I can't release the automation script if it updates everything correctly EXCEPT the IIS virtual directory default credentials, physical path credentials etc. This is literally the only thing I cannot get working.

    Thanks in advance!

    Addendum:

    I have already forensically tested just about every permutation of the standard approaches that you can possibly think of - Get-WebVirtualDirectory with Set-WebConfigurationProperty, VirtualDirectoryDefaults logic is per standard code samples), These are the methods that I'm getting inconsistent results from.

    What I'm looking for is a wrapper function with some validation, i.e. it actually confirms that the username did match the search argument, the old password was different to the new password, the new password was saved successfully etc.

  • Re: RELIABLE iterative search-and-update of password for service account used in IIS:\\SITES

    Aug 26, 2019 06:44 AM|Jalpa Panchal|LINK

    Hi,

    In my opinion, there is no built-in script for setup identity. You need to write a script by your self.

    You could use below command to retrieve Password of an App Pool identity account:

    1)open a command prompt as administrator.

    2)Type the below command and press enter.
    appcmd.exe list apppool <<app_pool_name>> /text:*

    This will show some information related to the iis application pool including username and password.

    Refer below article for more information:

    https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/applicationpools/add/processmodel

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: RELIABLE iterative search-and-update of password for service account used in IIS:\\SITES

    Aug 28, 2019 08:20 AM|tmsatgmail|LINK

    Hi

    Thanks but as I said, I don't have problems with updating App Pool identities. The issue is with a routine that has to update credentials in other places as well e.g. where they've been assigned to virtual directories, sub-folders - I've tried every code snippet going, blogs, even "tried and tested" wrapper functions from elsewhere, but the results have been extremely inconsistent.

    For example, on some tests I can update the password at the top level of the site - but subfolders and other objects below it don't get updated.

    I have had no trouble writing scripts to cover other password updates. With DCOM, for example, I've used documented code samples with WMI to read values, and I use binaries based on code samples in the Windows SDK to perform the write actions. That isn't even the most complex of workflows.

    So I'm actually quite surprised that I'm forced to ask this question with IIS - if anything, a function that updates a credential "anywhere that it is configured in IIS e.g. within IIS sites, app pools and folders" ought to be (on paper) one of the simplest PowerShell functions to write. It's turning out to be the most difficult.

  • Re: RELIABLE iterative search-and-update of password for service account used in IIS:\\SITES

    Aug 28, 2019 09:17 AM|tmsatgmail|LINK

    A solution block here demonstrates (in part) what I need to do:

    https://stackoverflow.com/questions/25215354/how-to-set-connectas-user-in-iis-using-powershell

    The limitations are:

    1. There may be some sites, sub-sites, apps, FTP servers, virtual directories and subfolders where we MUSTN'T attempt to update credentials - so a "fire and forget" Set-WebConfigurationProperty needs to be extended with a sanity check. Only if the current USERNAME matches the username in our updated psCredential, should we call Set-WebConfigurationProperty.

    2. I'd need a lot more error handling. One of the issues I'm encountering on one test server is very similar to what's described here: https://social.technet.microsoft.com/Forums/office/en-US/c2200b26-ca8c-425f-9387-de301da57c57/iis-remoting-the-data-is-invalid?forum=winserverpowershell

  • Re: RELIABLE iterative search-and-update of password for service account used in IIS:\\SITES

    Aug 29, 2019 08:39 AM|Jalpa Panchal|LINK

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: RELIABLE iterative search-and-update of password for service account used in IIS:\\SITES

    Sep 04, 2019 10:22 AM|tmsatgmail|LINK

    Hi

    Thanks. I've used the StackOverflow code block for some testing. The issue I'm having is NOT with the credential write actions, as those work fine - it's with a preceding validation step.

    We have IIS containing different sites and viritual directories owned by different teams who use different credentials for the objects they manage. So I cannot use a function that will blind overwrite every stored instance of a ServiceAccount2 username and password with the ServiceAccount1 username and password unless we've told it to.

    Rough example: - if you take that code from StackOverflow and extend all three ForEach loops with a sanity check to READ the current username and check it matches a search argument. (obviously you need different commands to get the current username, inside each loop).

        If(($username -ieq $currentuserName) -or ($flagReplaceAnyway -eq $true))
        {
            Set-WebConfigurationProperty $fullPath -Name "username" -Value $username
            Set-WebConfigurationProperty $fullPath -Name "password" -Value $newpassword
        }
    

    If I set the flag, the function can overwrite EVERY username and password on EVERY object it finds, bypassing the username match check. I can see all the usernames inside the IIS management interface (when running the admin console under the same credentials we're using for the PowerShell script). So there should be no problem reading those usernames as well as overwriting them.

    But, when running the PowerShell script, sometimes I get the username, sometimes I don't - and when I don't get it, there is no error. So the IF condition fails, if the flag is not set - ( $currentuserName = "" ) or ( $currentuserName = $null ) do not match $currentuserName.

    That is the issue. I am using standard logic to read the username, and the standard logic only works some of the time. Perversely, I do not have this problem when using the same principle in IIS:\AppPools where this IF condition works EVERY TIME.

    If(($username -ieq $webapp.processModel.userName) -or ($flagReplaceAnyway -eq $true))

  • Re: RELIABLE iterative search-and-update of password for service account used in IIS:\\SITES

    Sep 06, 2019 02:53 PM|tmsatgmail|LINK

    Update - I can now reproduce the problem I'm having consistently.

    I created four objects inside IIS, in a blank website (root folder (E:\wwwroot_testing) - the objects are an application, two folders and a virtual directory.

    I then converted one of the folders off the website root into an app via the UI, and set the Physical Path Credentials on it (again via the IIS Manager UI) to a brand new account created just now, that is not used for anything else, anywhere else on the entire server. The ONLY place it is used is on this app in this site.

    In the UI, if I look at the Manage Application/Advanced Settings dialog, I can see very clearly that my test account IS configured on that app's physical path credentials:

    • Application Pool: My Test
    • Physical Path: E:\wwwroot_testing\Test4
    • Physical Path Credentials: .\MyTemporaryTestAccount
    1. Physical Path Credentials Logon: ClearText 
    2. Virtual Path: /Test4

    I've scanned every config file, expanded every property, played with Get-WebConfigurationProperty for days, I've even searched the Registry for anything that might vaguely link to it. Bupkis. The only place that I can find MyTemporaryTestAccount (or any other account configured on an object this way), is if I go manually into the IIS Manager console and navigate into that same dialog. Powershell can't find it at all. And yes, I have done IISRESET, recycled etc.

  • Re: RELIABLE iterative search-and-update of password for service account used in IIS:\\SITES

    Sep 09, 2019 07:24 AM|tmsatgmail|LINK

    Hi

    Update - I have found a workaround of sorts - create a Microsoft.Web.Administration.ServerManager object and use that to iterate through sites, applications and virtual directories. This lets me retrieve the .UserName and .password properties from ALL virtual directories, anywhere inside IIS.

    I used Get functions for site, app and virtual directory - the combined output from all three functions asserts that there are no credentials assigned to a virtual directory Test5,

    I pointed ServerManager at the same virtual directory, and with just two lines of code I can see its username and password.

    I used Set-WebConfigurationProperty to change the username and password to something else (using the fullpath returned by the Get-WebVirtualDirectory function which reports those credentials as empty.

    I then checked the credentials again via both methods.

    ServerManager confirms to me that the password has been changed successfully.

    Get-WebVirtualDirectory STILL tells me the credentials are empty.

    Go figure...

  • Re: RELIABLE iterative search-and-update of password for service account used in IIS:\\SITES

    Sep 09, 2019 07:26 AM|Jalpa Panchal|LINK

    I am glad that you solve your issue with your self.

    I request you to mark the helpful suggestion as an answer. This will help other people who face the same issue.

    Thank you for understanding.

    Regards,

    Jalpa.

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.