locked
Change application identity in IIS RRS feed

  • Question

  • User-1165400470 posted

    Hi

    Is there a way to change identities of all applications that begin with 'MSExchange' to LocalSystrem, within IIS application pool?

    Thanks

    Regards

    Thursday, August 17, 2017 6:33 AM

All replies

  • User1632528892 posted

    Hi,

    It is possible to do this but I would question *why* you want to do so since it goes against Microsoft best practice recommendations for IIS application pools :

    https://msdn.microsoft.com/en-us/library/dd163542.aspx

    • Do not use highly privileged or administrative identities for IIS application pools. Never use LocalSystem, Administrator, or any other highly privileged account as an application pool identity. Just say no!

    Regards,

    Thursday, August 17, 2017 7:56 AM
  • User-460007017 posted

    Hi yahya01,

    It is not difficult to change the application pool identity for specific user with the command:

    $pool.processModel.identityType = "NetworkService"

    It is also not difficult to change identity for all application pool but I'm not sure how to change the application pool for the applications begin with "msexchange". It seems need to invoke the regex in powershell.

    Best Regards,

    Yuk Ding

    Thursday, August 17, 2017 8:36 AM
  • User-1165400470 posted

    Hi Paul

    I have this issue on an Exchange 2016 box. When Exchange 2016 was installed all its applications had LocallSystem identity by default. When I manually changed them to ApplictaionPoolIdentity as per BPA I started to get below error. I now want to experiment with identities and need an easy way to change them in bulk.

    Thanks

    Regards

    Access is denied. 
      Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 
    
     Exception Details: System.ServiceModel.Security.SecurityAccessDeniedException: Access is denied.
    
    Source Error: 
    
    
     An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.  
    
    Stack Trace: 
    
    
    
    [SecurityAccessDeniedException: Access is denied.]
       System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) +14866466
       System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) +1321
       Microsoft.Exchange.Data.Directory.TopologyDiscovery.ITopologyClient.GetServersForRole(String partitionFqdn, List`1 currentlyUsedServers, ADServerRole role, Int32 serversRequested, Boolean forestWideAffinityRequested) +0
       Microsoft.Exchange.Data.Directory.<>c__DisplayClass13.<InternalServiceProviderGetServersForRole>b__12(IPooledServiceProxy`1 proxy) +143
       Microsoft.Exchange.Net.ServiceProxyPool`1.TryCallServiceWithRetry(Action`1 action, String debugMessage, WCFConnectionStateTuple proxyToUse, Int32 numberOfRetries, Boolean doNotReturnProxyOnSuccess, Exception& exception) +325
    
    [ADTopologyUnexpectedException: Unexpected error when calling the Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)'. Error details: Access is denied..]
       Microsoft.Exchange.Data.Directory.ServiceTopologyProvider.GetConfigDCInfo(String partitionFqdn, Boolean throwOnFailure) +498
       Microsoft.Exchange.Data.Directory.TopologyProvider.PopulateConfigNamingContexts(String partitionFqdn) +55
       Microsoft.Exchange.Data.Directory.TopologyProvider.GetConfigurationNamingContext(String partitionFqdn) +61
       Microsoft.Exchange.Data.Directory.ADDataSession.GetNamingContext(ADNamingContext adNamingContext) +444
       Microsoft.Exchange.Data.Directory.ADDataSession.GetConnection(String preferredServer, Boolean isWriteOperation, String optionalBaseDN, ADObjectId& rootId, ADScope scope) +222
       Microsoft.Exchange.Data.Directory.ADDataSession.InternalFind(ADObjectId rootId, String optionalBaseDN, ADObjectId readId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties, Boolean includeDeletedObjects) +3182
       Microsoft.Exchange.Data.Directory.ADDataSession.Find(ADObjectId rootId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties, Boolean includeDeletedObjects) +132
       Microsoft.Exchange.Data.Directory.ADDataSession.Find(ADObjectId rootId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, String callerFilePath, Int32 callerFileLine, String memberName) +329
       Microsoft.Exchange.Data.Directory.SystemConfiguration.ADTopologyConfigurationSession.FindServerByFqdn(String serverFqdn) +285
       Microsoft.Exchange.Data.Directory.SystemConfiguration.ADTopologyConfigurationSession.ReadLocalServer() +161
       Microsoft.Exchange.Data.Directory.SystemConfiguration.Server.GetLocalServerClientAccessArray() +113
       Microsoft.Exchange.ExchangeSystem.LazyMember`1.GetLazyMemberInternal() +110
       Microsoft.Exchange.HttpProxy.Common.PerfCounters.UpdateHttpProxyPerArrayCounters() +26
       Microsoft.Exchange.HttpProxy.ProxyApplication.Application_Start(Object sender, EventArgs e) +247
    
    [HttpException (0x80004005): Unexpected error when calling the Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)'. Error details: Access is denied..]
       System.Web.HttpApplicationFactory.EnsureAppStartCalledForIntegratedMode(HttpContext context, HttpApplication app) +529
       System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers) +169
       System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context) +169
       System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context) +396
       System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext) +333
    
    [HttpException (0x80004005): Unexpected error when calling the Microsoft Exchange Active Directory Topology service on server 'TopologyClientTcpEndpoint (localhost)'. Error details: Access is denied..]
       System.Web.HttpRuntime.FirstRequestInit(HttpContext context) +525
       System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context) +124
       System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context) +700
     
    
    

    Thursday, August 17, 2017 1:38 PM
  • User-460007017 posted

    Hi yahya01,

    It is due to the application pool identity <IIS Appool\<apppool>name doesn't have enough NTFS permission to access the specific file or folder. You could use process monitor to monitor the permission issue in w3wp.exe.

    https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

    In addition, it is not recommended to use localsystem as the application pool identity, it take the risk of being hacked while the localsystem has really high permission to access the local machine. It also doesn't follow the Least Privilege principle.

    Best Regards,

    Yuk Ding

    Friday, August 18, 2017 6:42 AM
  • User1632528892 posted

    yahya01

    When I manually changed them to ApplictaionPoolIdentity as per BPA

    Do you have a reference for this ? I'm not familiar with Exchange I'm afraid and what I'm seeing online is that using LocalSystem as the app pool identity is (or was) how Exchange was supposed to be configured. Is this still the case for Exchange 2016 ?

    Regards,

    Friday, August 18, 2017 12:41 PM
  • User-1165400470 posted

    Hi Paul

    When I install Exchange from scratch it is like this;

    https://www.dropbox.com/s/9kbg9een8zxhrlv/Exchange3.png?dl=0

    But then BPA complains a lot;

    https://www.dropbox.com/s/h3vbjp2omiidncb/BPA.png?dl=0

    Thanks

    Regards

    Saturday, August 19, 2017 12:54 AM
  • User-460007017 posted

    Hi yahaya01,

    Use network service for application pool should not have any issue, maybe you could just ignore these complaints. If you want to fix this issue, change the application pool back to application pool and use process monitor to help you grant the correct permission.

    Best Regards,

    YuK Ding

    Tuesday, August 22, 2017 6:49 AM