Archive
Monthly
Go
|
|
DNN Blog
Nov
28
Posted by:
cathal connolly
Saturday, November 28, 2009 2:40:00 PM
Windows 7 and Windows 2008 R2 both run IIS 7.5. Whilst this version is similar to previous versions, if you wish to use it to host a DotNetNuke instance, there has been a change in the default identity used for the asp.net user.
Why the changed account?
The reason for this is that it’s possible for a website running under 1 application pool operating under an identity (e.g. “networkservice”) to use filesystem objects to read files from another site running in a different app pool that also uses “networkservice”. This meant that to get true app-pool isolation, admins had to create multiple users (and ACL them accordingly).
In IIS 7.5 (the version in Win7), the “ApplicationPoolIdentity” add’s an additional SID per app pool (and injects the name of the pool into it). This protects this cross-pool weakness, and allows servers to run under multiple app pools all with the same user (and also usefully injects the name of the process alongside w3wp.exe)
If you’re interested there’s more details on this @ http://blogs.iis.net/webtopics/archive/2009/03/13/changes-to-application-pool-identities-in-iis-7-5-beta.aspx and http://learn.iis.net/page.aspx/624/application-pool-identities/
However, the main point of this blog is to show you how to use this new account, as setting it's permissions is not exactly intuitive.
New account for asp.net
Instead of using the “NetworkService” account that was used in IIS6/7 , the default account is called “ApplicationPoolIdentity” , so this is the account that needs the usual permissions on the website. This account is not a "real" user account though. To add permissions for it on your website, you will need to open up Windows explorer and do the following:
- Right click the website folder and select "Properties"
- Select the "Security" tab
- Click the "Edit" and then "Add" button
- Click the "Locations" button and make sure you select your machine.
- Enter "IIS AppPool\DefaultAppPool" in the "Enter the object names to select:" text box.
- Click the "Check Names" button and click "OK".
- You can now select the necessary permissions (typically read, write and modify permissions for the folder and all subfolders is the easiest permission to set)
Note: Alternatively you may change your application pool back to "NetworkService" (or any other account), but will lose the cross-app pool isolation feature.
16 comment(s) so far...
Re: Windows 7 /Windows 2008 R2 cross application pool isolation
Bookmarked! Thanks Cathal.
By BarryS on
Saturday, November 28, 2009 6:53:32 PM
|
Re: Windows 7 /Windows 2008 R2 cross application pool isolation
Thanks Cathal! I was already wondering what was going on. I am testing my site (not production yet) on 2008 R2 with SQL 2008. It will go into production end 2009.
By Mariette Knap on
Saturday, November 28, 2009 6:53:41 PM
|
Re: Windows 7 /Windows 2008 R2 cross application pool isolation
I am assuming if you had multiple AppPools (ex: DNNSites1, DNNSites2,etc) the name of the user name would change according to the AppPool name that the site is running under, correct?
IIS AppPool\DNNSites1
IIS AppPool\DNNSites2
By Shawn Mehaffie on
Friday, December 04, 2009 10:31:30 PM
|
Re: Windows 7 /Windows 2008 R2 cross application pool isolation
@Shawn - yes, the name "DNNSites1" will show as the username in the task manager.
By cathal connolly on
Friday, December 04, 2009 10:32:18 PM
|
Re: Windows 7 /Windows 2008 R2 cross application pool isolation
One final question, I tried running a site under the ApplicationPoolIdentity and I get the following error. The site runs fine under the NetworkService Account.
System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission
By Shawn Mehaffie on
Saturday, December 05, 2009 12:40:41 AM
|
|
|
Re: Windows 7 /Windows 2008 R2 cross application pool isolation
I followed this article today as I wanted to get away from Network Service permissions in Win7. I noticed that if you are using SQL Express (i.e. the file under the App_Data folder) you may lose your connection.
In order to restore it you goto to your website application pool within IIS you do as Ries says in the previous comment : Right click the application Pool/Advanced Settings/ and set LoadUserProfile = True.
If you are using SQL Server you might just want to assign ApplicationPoolID the appropriate permissions.
Great article Cathal - thankyou.
By Alex Shirley on
Monday, December 14, 2009 11:01:22 PM
|
Re: Windows 7 /Windows 2008 R2 cross application pool isolation
Is there a step by step guide to installing DNN on Windows 2008 IIS 7? I can't seem to find one.
Thanks
By doghouse1974 on
Friday, May 21, 2010 5:02:17 PM
|
Re: Windows 7 /Windows 2008 R2 cross application pool isolation
@doghouse1974, no theres no seperate IIS7 instructions - it's a standard install just make sure you use the approriate users. The documentation/readme.txt file has some simple instructions - alternatively consider using the Microsoft web platform installer.
By cathal connolly on
Friday, May 21, 2010 5:04:09 PM
|
Re: Windows 7 /Windows 2008 R2 cross application pool isolation
I'm runningWin7-64 and IIS7.5, where-as my host is running WinServ2003and IIS6.0.
Could this have an effect on my initial settings to get DNN installed?
By Anthony Petersen on
Thursday, July 01, 2010 12:40:55 AM
|
Re: Windows 7 /Windows 2008 R2 cross application pool isolation
@anthony, no, it should have no effect.
By cathal connolly on
Thursday, July 01, 2010 12:41:43 AM
|
Re: Windows 7 /Windows 2008 R2 cross application pool isolation
My server is Windows 2008 R2 and I do not have a IS AppPool\DefaultAppPool user? I am a long time user of DNN and need to set up a new company. Please advise...
I get the following:
Security Exception
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.
By Rob Adams on
Wednesday, December 15, 2010 3:28:34 PM
|
Re: Windows 7 /Windows 2008 R2 cross application pool isolation
@Rob it's IIS AppPool\DefaultAppPool not IS AppPool....Also, you need to enter it manually as it's a virtual account. Finally, if you're having problems then just switch the application pool to NetworkService as suggested
By cathal connolly on
Saturday, December 11, 2010 10:57:59 PM
|
Re: Windows 7 /Windows 2008 R2 cross application pool isolation
Hi.
When I Enter "IIS AppPool\DefaultAppPool" in the "Enter the object names to select:" text box and Click the "Check Names" button
I see: DefaultAppPool
Is it right?
Thanks
By grenzo grenzo on
Friday, January 28, 2011 6:44:59 PM
|
Re: Windows 7 /Windows 2008 R2 cross application pool isolation
@grenzo, yes that's correct - see learn.iis.net/page.aspx/624/application-pool-identities/
By cathal connolly on
Friday, January 28, 2011 6:45:46 PM
|
Re: Windows 7 /Windows 2008 R2 cross application pool isolation
Great article. Thank you for publishing.
Regards
By F S on
Saturday, October 01, 2011 5:06:32 PM
|
|