locked
w3wp process running under custom local account RRS feed

  • Question

  • User-1679654592 posted
    We have created a local machine account to run our application pool for a very simple ASP.NET application with. The application sits at the root of a web site running on a non-standard port. We are using integrated security only, and the web.config mode is correctly set to Windows. We have added the user to both the IIS_WPG and Users groups, and given the user the "Adjust memory quotas for a process" and "Replace a process level token" privileges, along with the appropriate framework and site directory permissions. The local machine account is configured correctly on the identity tab. Everything *almost* works fine, with the exception of flaky authentication. The process can only sometimes authenticate the users to allow access to the entire page, other times it shows parts of the page (noting that IE page caching is off), and other times it disallows access altogether. During the latter two scenarios, the network credentials dialog is displayed. Pressing cancel in the dialog sometimes improves the situation and provides access to the page (though some of the images can't be loaded). Are we missing something?
    Wednesday, September 1, 2004 6:50 AM

All replies

  • User989702501 posted
    Depend on type of resources access, sometime the app pool identity must be local system. You might want to take a look AuthDiag RTM few days ago. http://www.microsoft.com/downloads/details.aspx?FamilyId=E90FE777-4A21-4066-BD22-B931F7572E9A&displaylang=en Good luck.
    Thursday, September 2, 2004 12:17 AM
  • User-1679654592 posted
    Thank you for your suggestion. I've installed AuthDiag, which informs me that a Service Principal Name has not been registered for the local machine account running the application pool. All the documentation I've read regarding Kerberos delegation refers to domain accounts, but not local machine accounts. If the ASPNET and NETWORK SERVICE accounts have the authority to validate user credentials, why doesn't another local machine account with the identical privileges? If an SPN is required for the local machine account, can setspn.exe be used to do so?
    Thursday, September 9, 2004 3:55 PM
  • User989702501 posted
    a) is this a standalone box ? b) domain controller ? c) don't really get this part 'why doesn't another local machine account with the identical privileges?' are you saying the IIS box is reading resource via UNC path on a remote machine? kerberos and setspn should be relate to domain auth. Not really in a standalone setup. d) you find anything weird in IIS log ? event log ?
    Thursday, September 9, 2004 11:06 PM
  • User-1679654592 posted
    a) is this a standalone box ? No, this server is a member of a domain. b) domain controller ? See (a) c) don't really get this part 'why doesn't another local machine account with the identical privileges?' are you saying the IIS box is reading resource via UNC path on a remote machine? kerberos and setspn should be relate to domain auth. Not really in a standalone setup. I'm pointing out that the ASPNET and NETWORK SERVICE accounts are local machine accounts, both members of IIS_WPG and Users and a few extra directory and security privileges. I've established the identical set of roles and privileges for our new local machine account. The problem lies when the worker process (running as our new local machine account) attempts to authenticate the domain users with Kerberos. d) you find anything weird in IIS log ? event log ? No. All the relevant entries in the IIS logs and the Security log are expected, given the behavior.
    Monday, September 13, 2004 6:16 AM
  • User-1679654592 posted
    Maybe this will help clarify my question: If the ASPNET and NETWORK SERVICE accounts have the authority to validate user credentials, why doesn't another local machine account with the identical privileges [have the authority to validate user credentials]?
    Monday, September 13, 2004 6:19 AM
  • User989702501 posted
    I wish I know which part causing this, but it's not that straight forward. I would suggest you go through this kb, and make sure the 'custom' user has the same right. Default permissions and user rights for IIS 6.0 http://support.microsoft.com/?id=812614
    Wednesday, September 15, 2004 7:26 AM
  • User-1679654592 posted
    Thanks for the link. We've already verified that our local account has all the correct permissions. We've added the local account to both the IIS_WPG and Users groups, and granted the additional appropriate privileges. The curious error that AuthDiag gives is: Service principal name (SPN) for user '[local machine account name]' not found in Active Directory Path:W3SVC/[site] AuthType:Kerberos even though all the documentation seems to state that SPNs are required for domain accounts only. Is it possible to create an SPN for a local machine account?
    Wednesday, September 15, 2004 7:36 AM
  • User989702501 posted
    I re-read all previous postings. I don't know what that AuthDiag error msgs really mean in your standalone setup. My question now is that what resource you trying to access ? is it local disk or UNC path ?
    Sunday, September 19, 2004 10:12 PM
  • User-1679654592 posted
    We're not trying to access any resource (directly). We have a very simple web site, running in a separate app pool in IIS6 configured to run as a custom local machine account (established on the Identity tab). Incoming users are not authenticated properly (and the results are varying- users can occasionally see parts of the entry page while being prompted for credentials).
    Monday, September 20, 2004 6:06 AM
  • User989702501 posted
    Ok. so some users are able to access without problem, while others are being prompt for login. I'm must be blur. I was focusing on the custom account rather than this. a) you are using integrated auth, but the machine doesn't have AD access ? b) are there any proxy/firewall between the server and client machine ? c) if you switch to basic auth, do you see the problem ? d) if occasionally you being prompt, I'm sure you will get 401.2, 401.1 in IIS log file.
    Monday, September 20, 2004 11:20 PM
  • User-1679654592 posted
    To answer your questions: a) The machine has AD access b) Yes, but nothing blocks AD access (as the local NETWORK SERVICE and ASPNET accounts have been able to provide Kerberos authentication) c) We've honestly never tried, simply because basic authentication is not an option d) Yes Here's the problem: our DNS domain did not match our Windows domain. It was a pretty simple problem to resolve, but unfortunately it was not an easy one to track down! Thanks for your help.
    Tuesday, September 21, 2004 6:05 AM
  • User989702501 posted
    So it was DNS ? might to explain a bit more ?
    Thursday, September 23, 2004 12:37 AM