Web Connection
Custom App Pool Identity
Gravatar is a globally recognized avatar based on your email address. Custom App Pool Identity
  Stein Goering
  All
  Dec 1, 2018 @ 11:34pm

When using the .NET Handler and a custom account for the Application Pool Identity, we would run into access restrictions unless we made the account a local administrator. One of our customers was recently able to get a non-admin account to work as follows:

  1.  Added the IIS Application pool account to the “local\IIS_IUSRS” and “local\Distributed COM Users” groups
    
  2.  In DCOM Config, under COM server \ properties \ Security tab \ Launch and Activation Permissions.  Chose the Customize radio button;  added the IIS Application pool account giving it full permissions.
    

Thought I'd post this in case anyone has clients who would prefer not to use an admin account for security reasons.

--stein

Gravatar is a globally recognized avatar based on your email address. re: Custom App Pool Identity
  Rick Strahl
  Stein Goering
  Dec 2, 2018 @ 01:08pm

You don't need an Administrator account, just any account will do as long as you add it to the DCOM launch permissions.

The Application Pool Identity is a generated account that's specific for each individual Application Pool, so it's very tricky to set permissions for. Even if you manage to get it into the DCOM permissions you will have a hard time trying to get it to work with local file permissions because the account doesn't show up on the ACL list.

I don't know how you can add it to any list because it doesn't show up as an account(s):

Update:

Ok I see there's a way to do this by using IIS AppPool\AppPoolName as the account name.

Here's more info on how that works:

This approach lets you create permissions at the file system as well as adding a group and even in the DCOM settings.

Even so I think this is confusing as heck and I still wouldn't recommend this - it's almost always better to create a new non-admin, low rights account and then add only the permissions you want of it explicitly which is more predictable to manage IMHO. A low rights account won't have any rights anywhere by default (especially if running without a profile) and so essentially provides the same security as the Application Pool account. Same result...

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Custom App Pool Identity
  Stein Goering
  Rick Strahl
  Dec 2, 2018 @ 11:32pm

You don't need an Administrator account, just any account will do as long as you add it to the DCOM launch permissions.

That last part is what I've been missing. We would add a custom account as the Application Pool Identity via the Advanced Settings App Pool dialog, and then set the DCOM Identity to the Launching User. We would make that custom account an admin t because I somehow thought that was required by the .NET Handler. So never had considered changing the DCOM launch permissions until this customer objected to giving it admin privileges.

I didn't mean to confuse the issue by using the term "IIS Application Pool account" - I just meant to reference that custom account we set up, not the internal ApplicationPoolIdentity.

--stein

Gravatar is a globally recognized avatar based on your email address. re: Custom App Pool Identity
  Rick Strahl
  Stein Goering
  Dec 2, 2018 @ 11:35pm

We covered this in some detail during the security session at the Web Connection Training. It's pretty prominent in the slides if I recall...

You can use any account for DCOM as long as you give it access permissions. By default only Administrators, Interactive and SYSTEM have the ability to launch COM objects. Any other accounts - including NETWORK SERVICE - require that they are added to the DCOM permissions.

+++ Rick ---

© 1996-2018