locked
Debugging asp.net application on local IIS server without admin privileges RRS feed

  • Question

  • We have a .net department developing websites and applications for IIS servers. Currently, debugging is done by each developer on a local IIS server, using VS2010/VS2012.

    Attaching the VS debugger to w3wp process requires local administrator rights. For obvious reasons, we do not want our developers to hold admin privileges. We have considered the following solutions: 


    1. Running the website on IIS express. this does not help us, since we need to be sure rolling updates will behave on client's server the exact same way they behave on the developer computer 

    2. Running IIS and the IIS manager under user privileges instead of as a system service. I could not find a way to do it, in a way that allows users to manage the websites and applications 

    3. Giving developers debug permissions. I'm aware of the risks, but willing to take them. Giving developers local "Debug programs" policy should let them attach VS debugger to system process, However I get "Visual Studio has insufficient privileges to inspect the process's identity" even with "Debug programs" allowed and the user in the local IIS_IUSERS. I can, however, attach to w3wp process with windbg.



    The question: 
    1. What are the minimum privileges needed for VS2010 to be able to attach to w3wp.exe? 
    2. what are the minimum privileges a user needs to be able to manage local IIS? 
    3. Is there another way to debug the asp.net app WITHOUT changing our whole DevOps workflow?

    Thank you all

    Tuesday, May 3, 2016 1:52 PM

Answers