PDA

View Full Version : Setting Virtual Directories/Web Applications to ApplicationPoolIdentity How-To?



Superfreak3
01-10-2019, 11:15 AM
Hi all,

We have a web application which is working fine, but field techs are requesting a change. Our current Application Pool settings are attached. We want that to be assigned a specific user/pswd entered during the install. So, I don't envision anything changing there.

We currently set the the same user on the Web Application and a Virtual Directory, but we would like to change those to ApplicationPoolIdentity. I don't see that option in the Application or Virtual Directory settings. I've attached the current security settings for that and I don't see a specific option to set the desired identity.

Is it possibly a combination of some settings or will leaving the username/pswd blank default to ApplicationPoolIdentity at install time?

Thanks in Advance!

rguggisberg
01-10-2019, 04:13 PM
If you look to the right of the Process Model - Identity field (off the edge of your screen shot) there is an arrow for a dropdown.
Clicking on that will give you choices. Does one of them work for you?

NetworkService
LocalService
LocalSystem
SpecificUser
ApplicationPoolIdentity <-- ?

Superfreak3
01-10-2019, 04:21 PM
If you look to the right of the Process Model - Identity field (off the edge of your screen shot) there is an arrow for a dropdown.
Clicking on that will give you choices. Does one of them work for you?

NetworkService
LocalService
LocalSystem
SpecificUser
ApplicationPoolIdentity <-- ?

That is on the Application Pool itself and that is set up OK as far as I know. If I change that to ApplicationPoolIdentity, does that trickle down to the authentication setting on the apps/virtual directories? I guess I could try that but I don't know if setting that overides the username and password that is set during install on the Application Pool. The user set for the Application Pool during install is what is to be used there.

As the install stands now, with the setting shown, here is what the techs change in the field and what I want to accomplish with the install...

Open IIS.
Select OurApplication
In the IIS section of the center pane (icons) right click on Authentication, select Open Feature
Select Anonymous Authentication
Right Click and choose Edit
Select Application Pool Identity.

So, after install, they don't want to have to do that as the install should set that to ApplicationPoolIdenty. As you can tell, I'm not IIS expert.

rguggisberg
01-10-2019, 04:59 PM
Ok... If I understand correctly I think you want to go to
IIS
Web Sites
Name Of Your Web Site

Security
Enable Anonymous Access = Yes
Anonymous User Name = [User Name Property Entered on Install]
Anonymous Password = [Password Property Entered on Install]

Superfreak3
01-10-2019, 05:04 PM
Ok... If I understand correctly I think you want to go to
IIS
Web Sites
Name Of Your Web Site

Security
Enable Anonymous Access = Yes
Anonymous User Name = [User Name Property Entered on Install]
Anonymous Password = [Password Property Entered on Install]

All of that is set currently in/by our install. Anonymous Access is set to yes and results as such post install. Each web application/virtual directory then has the user name and password entered during install set in their properties as well as the Application Pool.

However, field techs have to go into each app/directory and...

Select Anonymous Authentication
Right Click and choose Edit
Select Application Pool Identity.

So, I want this setting to be set during or by the install so users or techs don't have to do so afterwards.

Superfreak3
01-11-2019, 10:19 AM
I guess another way to ask this is how do I get to see the web application/virtual directory Authentication -> Anonymous Authentication (which will/should be enabled) set to ApplicationPoolIdentity immediately following install, with no need for end user or tech to do manually in IIS.

Open IIS.
Select OurApplication
In the IIS section of the center pane (icons) right click on Authentication, select Open Feature
Select Anonymous Authentication
Right Click and choose Edit

When the above steps are carried out post install, the Application pool identity option should be selected.

I've tried various combinations of the IIS settings in InstallShield, but I'm not getting the desired results.

In the actual install .ism file I've tried Identity = ApplicationPoolIdentity with name and password still used (not sure if they are ignored if set to ApplicationPoolIdentity) in the Application Pool settings in combination with Enable Anonymous Access = Yes with no user name and password used or blank in the template (I read online that to fall back to app pool identity leave these blank) on the actual application settings, but all I get when checking the above mentioned area of issue I see Specific User selected and set to IUSR.

Everything seems to work in the field with the Application Pool setting set to Specific User and with techs changing the Authentication; Anonymous Auth to Application Pool Identity. I just can't figure out how to make that happen via install.

I would think there has got to be a way!

rguggisberg
01-11-2019, 04:00 PM
I agree. Is it possible that anonymous authentication is locked?
For previous job I made a CA to unlock it.

Superfreak3
01-11-2019, 04:20 PM
I agree. Is it possible that anonymous authentication is locked?
For previous job I made a CA to unlock it.

I'm not sure what you mean, locked. Do you mean disabled? It is enabled after install currently.

Or, is there some other IIS specific setting used to 'lock' Anon Auth?

I guess I should also mention that I'm currently running tests on a Server 2016 system so maybe there is some OS specifics as well, but I would guess this is all in IIS.

rguggisberg
01-11-2019, 04:42 PM
Is it possible that whatever you are doing in InstallShield is being overridden by either an ApplicationHost.config or Web.config file?

https://forums.iis.net/t/1170130.aspx?IIS+7+Windows+Authentication+This+feature+has+been+locked+or+Read+Only

Superfreak3
01-11-2019, 04:45 PM
Is it possible that whatever you are doing in InstallShield is being overridden by either an ApplicationHost.config or Web.config file?

https://forums.iis.net/t/1170130.aspx?IIS+7+Windows+Authentication+This+feature+has+been+locked+or+Read+Only

I am able to change the desired Auth setting to Application pool identity manually without any error and the changes seems to be held or persists afterwards. Does that rule out any potential block you reference?

Oh and thanks for helping out rguggisberg!!

rguggisberg
01-11-2019, 05:04 PM
Your welcome. Just sorry I can't be of more help. It has been a while since I have played with that.

Take a look at any ApplicationHost.config or Web.config files on the target system after install.
I don't think the fact that you can change this after install rules out any potential block by those files.
If you find these files, take a look at them before and after you make the change to see if they get changed.

Superfreak3
01-13-2019, 09:31 PM
Take a look at any ApplicationHost.config or Web.config files on the target system after install.
...
If you find these files, take a look at them before and after you make the change to see if they get changed.

I'll check out those files and post my findings either way.

I'm thinking I might have to write a Custom Action to tweak this at the end of our install (most likely C#).

rguggisberg
01-14-2019, 11:14 AM
If you have to do a CA the A P P C M D may be of value.

This site's security rules prevent me from typing the command on one line or from using the 'A' word:(
You have to either specify full path to it or CD to it.
You can LIST and SET. Do your testing from a CMD prompt. When you get the desired combination of commands you can implement in a CA.

Superfreak3
01-14-2019, 11:19 AM
I think I found the setting that is tweaked in ApplicationHost.config...


<location path="Default Web Site/MyApplication">
<system.webServer>
<asp>
<session timeout="00:20:00" />
<limits scriptTimeout="00:01:30" />
</asp>
<security>
<authentication>
<anonymousAuthentication enabled="true" userName="" />
<basicAuthentication enabled="false" />
<windowsAuthentication enabled="false" />
</authentication>
</security>
<httpLogging dontLog="false" />
</system.webServer>
</location>

I can toggle the setting by toggling the userName parameter. If set to "" then Application pool identity is selected in the desired area of IIS.

I would think that leaving the user name setting blank in the InstallShield .ism would get me what I want, but that seems to set things to IUSR.

If there is a way to do this within the .ism that would be great. Otherwise, I guess I have to write a CA to change it.

Superfreak3
01-14-2019, 11:21 AM
If you have to do a CA the A P P C M D may be of value.

This site's security rules prevent me from typing the command on one line or from using the 'A' word:(
You have to either specify full path to it or CD to it.
You can LIST and SET. Do your testing from a CMD prompt. When you get the desired combination of commands you can implement in a CA.

I was just thinking of editing the ApplicationHost.config xml directly, but maybe the cmd utility is a better way to go. Now to dig up the command I need based on the setting I found which needs tweaking.

rguggisberg
01-14-2019, 11:29 AM
If you can get it done by changing ApplicationHost.config you might look at doing 'text substitution' via 'SYSTEM CONFIGURATION', 'XML File Changes'.

Superfreak3
01-14-2019, 12:25 PM
If you can get it done by changing ApplicationHost.config you might look at doing 'text substitution' via 'SYSTEM CONFIGURATION', 'XML File Changes'.

I wonder if that will take place after all of the IIS stuff is set up -- a matter of sequence in other words.

Superfreak3
01-14-2019, 12:43 PM
It looks like it might be a little more involved than just an XML text replace. It appears that if set to Application pool identity, the password attribute initially supplied via the install should be removed as well. I haven't used the XML file modifications in or from the template so not sure if you can delete from there or not.

rguggisberg
01-14-2019, 01:08 PM
You might be right about the sequencing. Although if the ApplicationHost.config is a file that you placed on the system at install time it should be modified as you specify.

I haven't used the XML file changes either. I have used the Text File Changes.... and maybe you can use that instead. It allows you to replace xxx with yyy or replace xxx with nothing... which it sounds like you want to do.

Superfreak3
01-14-2019, 02:45 PM
The ApplicationHost.config file is not a part of our install, but a part of IIS.

I think the same question would arise surrounding the use of Text file replacement and sequencing.

I don't think I can go that route anyway as there are some attributes on the application pools we create in that .config file that have valide usernames and passwords so a universal replace wouldn't really work in this case. I guess I could make a super long replace. Even that wouldn't work as the password that would have to be removed is encrypted at install time so not sure what the string would be for replacement.

It's sounding more and more like a CA of some type.

I've sent this into Support as well. Unless and until I hear back from them or someone discovers some way to do it in the template, I'll embark on the Custom Action path.

THANKS for the help so far!!

rguggisberg
01-14-2019, 03:05 PM
Just to clarify... Text replacement allows you to replace one or all occurrences of a string.
You can also specify multiple strings to substitute.

Superfreak3
01-14-2019, 03:07 PM
Just to clarify... Text replacement allows you to replace one or all occurrences of a string.
You can also specify multiple strings to substitute.

Yeah, I know, but I think going that route might get hairy, even if its in the right sequence to suite my needs. I'll give it a shot to see what happens. I just don't know that the format and verbiage will be the same for all ApplicationHost.config files either.

UPDATE: Since I haven't hear anything from IS support on this, I just went ahead and wrote a Custom Action to cycle through sites and if our Apps/Vir dirs are found, they are switched to Application pool identity.