Localized "Network Service" account name problem RRS feed

  • Question

  • User-242205012 posted

    In a web setup project for my web service, I wrote a Custom Action to give my service's identity write permission on
    some folders.

    In OS's like Server2003, IIS runs my web application with "NT AUTHORITY\NETWORK SERVICE".

    The problem arise in non-english OS's, where "NETWORK SERVICE" become, for example "Servizio di Rete".

    With the constraint of NOT changing the default IIS identity used, how can I solve this problem?
    Any suggestions are welcome!


    Thursday, February 26, 2009 1:53 PM

All replies

  • User372121194 posted


    You can try to create new Application pool and new process identity for your website in Custom Action, since we cannot sure which identity is using in target machine.

    For more information, see How TO: Change Application Pool Identity Programmatically (http://blogs.msdn.com/akshayns/archive/2007/07/20/how-to-change-application-pool-identity-programmatically.aspx ) and Creating Application Pools Using System.DirectoryServices(<!----> http://msdn.microsoft.com/en-us/library/ms525598.aspx).


    I look forward to receiving your test results.

    Monday, March 2, 2009 4:32 AM
  • User-242205012 posted

     Thank you for your reply,

    at the moment end user server policies don't allow me to create new identities. Further, the setup have to work on IIS 5.1 too:  if I'm not wrong, pool application are not present (but one could use 'standard' user 'MachineName\ASPNET')


    Tuesday, March 3, 2009 3:20 AM
  • User372121194 posted


    Thanks for your response.

    Yes, if it is IIS 5.1, the account is ASPNET. If your end user changes these default account, I think you have to ask these accounts for end user while installing and then grant account permission on folder.

    You can add the access control list (ACL) entries to the file in custom action. For example, adds an ACL entry on the specified file for the specified account:

    public static void AddFileSecurity(string fileName, string account,
                FileSystemRights rights, AccessControlType controlType)

                // Get a FileSecurity object that represents the
                // current security settings.
                FileSecurity fSecurity = File.GetAccessControl(fileName);

                // Add the FileSystemAccessRule to the security settings.
                fSecurity.AddAccessRule(new FileSystemAccessRule(account,
                    rights, controlType));

                // Set the new access settings.
                File.SetAccessControl(fileName, fSecurity);

    For more information, see http://msdn.microsoft.com/en-us/library/system.io.file.setaccesscontrol.aspx


    I look forward to receiving your test results.

    Tuesday, March 3, 2009 4:11 AM
  • User-242205012 posted


    I think a better solution could be a new setup-property like [DEFAULTUSER], evaluated at setup-time with current IIS default user.

    In my test custom action the only working way to grant rights to accounts, is through "cacls.exe", via System.Diagnostic.Process. Using FileSecurity/FileSystemRights caused a corruption of the folder's ACL: I tryed many examlpes...

    Anyway, is there a way to browse the available accounts (included the infamous 'Netwok Service') to cerate an account-picker in the setup?

    thank you in advance


    Tuesday, March 3, 2009 5:33 AM