Change application identity in IIS

Question

User-1165400470 posted

Hi

Is there a way to change identities of all applications that begin with 'MSExchange' to LocalSystrem, within IIS application pool?

Thanks

Regards

Answer 1

User1632528892 posted

Hi,

It is possible to do this but I would question *why* you want to do so since it goes against Microsoft best practice recommendations for IIS application pools :

https://msdn.microsoft.com/en-us/library/dd163542.aspx

• Do not use highly privileged or administrative identities for IIS application pools. Never use LocalSystem, Administrator, or any other highly privileged account as an application pool identity. Just say no!

Regards,

Answer 2

User-460007017 posted

Hi yahya01,

It is not difficult to change the application pool identity for specific user with the command:

$pool.processModel.identityType = "NetworkService"

It is also not difficult to change identity for all application pool but I'm not sure how to change the application pool for the applications begin with "msexchange". It seems need to invoke the regex in powershell.

Best Regards,

Yuk Ding

Answer 3

User-1165400470 posted

Hi Paul

I have this issue on an Exchange 2016 box. When Exchange 2016 was installed all its applications had LocallSystem identity by default. When I manually changed them to ApplictaionPoolIdentity as per BPA I started to get below error. I now want to experiment with identities and need an easy way to change them in bulk.

Thanks

Regards

Access is denied. 
  Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

 Exception Details: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.

Source Error: 


 An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.  

Stack Trace: 



[SecurityAccessDeniedException: Access is denied.]
   System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) +14866466
   System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) +1321
   Microsoft.Exchange.Data.Directory.TopologyDiscovery.ITopologyClient.GetServersForRole(String partitionFqdn, List`1 currentlyUsedServers, ADServerRole role, Int32 serversRequested, Boolean forestWideAffinityRequested) +0
   Microsoft.Exchange.Data.Directory.<>c__DisplayClass13.<InternalServiceProviderGetServersForRole>b__12(IPooledServiceProxy`1 proxy) +143
   Microsoft.Exchange.Net.ServiceProxyPool`1.TryCallServiceWithRetry(Action`1 action, String debugMessage, WCFConnectionStateTuple proxyToUse, Int32 numberOfRetries, Boolean doNotReturnProxyOnSuccess, Exception& exception) +325

[ADTopologyUnexpectedException: Unexpected error when calling the Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)'. Error details: Access is denied..]
   Microsoft.Exchange.Data.Directory.ServiceTopologyProvider.GetConfigDCInfo(String partitionFqdn, Boolean throwOnFailure) +498
   Microsoft.Exchange.Data.Directory.TopologyProvider.PopulateConfigNamingContexts(String partitionFqdn) +55
   Microsoft.Exchange.Data.Directory.TopologyProvider.GetConfigurationNamingContext(String partitionFqdn) +61
   Microsoft.Exchange.Data.Directory.ADDataSession.GetNamingContext(ADNamingContext adNamingContext) +444
   Microsoft.Exchange.Data.Directory.ADDataSession.GetConnection(String preferredServer, Boolean isWriteOperation, String optionalBaseDN, ADObjectId& rootId, ADScope scope) +222
   Microsoft.Exchange.Data.Directory.ADDataSession.InternalFind(ADObjectId rootId, String optionalBaseDN, ADObjectId readId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties, Boolean includeDeletedObjects) +3182
   Microsoft.Exchange.Data.Directory.ADDataSession.Find(ADObjectId rootId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties, Boolean includeDeletedObjects) +132
   Microsoft.Exchange.Data.Directory.ADDataSession.Find(ADObjectId rootId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, String callerFilePath, Int32 callerFileLine, String memberName) +329
   Microsoft.Exchange.Data.Directory.SystemConfiguration.ADTopologyConfigurationSession.FindServerByFqdn(String serverFqdn) +285
   Microsoft.Exchange.Data.Directory.SystemConfiguration.ADTopologyConfigurationSession.ReadLocalServer() +161
   Microsoft.Exchange.Data.Directory.SystemConfiguration.Server.GetLocalServerClientAccessArray() +113
   Microsoft.Exchange.ExchangeSystem.LazyMember`1.GetLazyMemberInternal() +110
   Microsoft.Exchange.HttpProxy.Common.PerfCounters.UpdateHttpProxyPerArrayCounters() +26
   Microsoft.Exchange.HttpProxy.ProxyApplication.Application_Start(Object sender, EventArgs e) +247

[HttpException (0x80004005): Unexpected error when calling the Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)'. Error details: Access is denied..]
   System.Web.HttpApplicationFactory.EnsureAppStartCalledForIntegratedMode(HttpContext context, HttpApplication app) +529
   System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers) +169
   System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context) +169
   System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context) +396
   System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext) +333

[HttpException (0x80004005): Unexpected error when calling the Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)'. Error details: Access is denied..]
   System.Web.HttpRuntime.FirstRequestInit(HttpContext context) +525
   System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context) +124
   System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context) +700
 

Answer 4

User-460007017 posted

Hi yahya01,

It is due to the application pool identity <IIS Appool\<apppool>name doesn't have enough NTFS permission to access the specific file or folder. You could use process monitor to monitor the permission issue in w3wp.exe.

https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

In addition, it is not recommended to use localsystem as the application pool identity, it take the risk of being hacked while the localsystem has really high permission to access the local machine. It also doesn't follow the Least Privilege principle.

Best Regards,

Yuk Ding

Answer 5

User1632528892 posted

yahya01

When I manually changed them to ApplictaionPoolIdentity as per BPA

Do you have a reference for this ? I'm not familiar with Exchange I'm afraid and what I'm seeing online is that using LocalSystem as the app pool identity is (or was) how Exchange was supposed to be configured. Is this still the case for Exchange 2016 ?

Regards,

Answer 6

User-1165400470 posted

Hi Paul

When I install Exchange from scratch it is like this;

https://www.dropbox.com/s/9kbg9een8zxhrlv/Exchange3.png?dl=0

But then BPA complains a lot;

https://www.dropbox.com/s/h3vbjp2omiidncb/BPA.png?dl=0

Thanks

Regards

Answer 7

User-460007017 posted

Hi yahaya01,

Use network service for application pool should not have any issue, maybe you could just ignore these complaints. If you want to fix this issue, change the application pool back to application pool and use process monitor to help you grant the correct permission.

Best Regards,

YuK Ding