IIS_WPG and NETWORK SERVICE

I have an ASP.NET site hosted on an SBS 2003 server. The server is a day old
and no changes have been made to IIS with respect to user rights, etc.
I have configured IIS_WPG to have the rights necessary to access what needs
to be accessed on my site folder. I have set this up many times before via
the same script on non-SBS servers. However, the web app cannot manipulate
the folder as it should be able to based on these rights. I have verified
this by temporarily giving "everyone" full rights to the folder and the web
app runs fine.
I know that ASP.NET application is running in a pool where NETWORK SERVICE
is the runtime context:
System.Security.Principal.WindowsIdentity.GetCurrent().Name = NT
AUTHORITY\NETWORK SERVICE

I have read a couple articles that explain that on a fresh install of IIS 6,
"NETWORK SERVICE" should be a member of IIS_WPG. Well, on my new install, it
is not.
So, I opened up the DefaultAppPools node of IIS Mgr and opened the IIS_WPG
Properties and at the "Members" tab, no "NETWORK SERVICE" in the list. There
is IWAM_machinename, and "SharePoint...bla.bla.". I attempt to add "NETWORK
SERVICE", but it does not appear to be a user that can be selected from
Active Directory.
I am stuck at this point because either the OS has a bug, SBS 2003 is
"different again" from vanilla servers, the MSDN article is wrong, or I'm
seeing things.
I will be greatly appreciative if someone can tell me which is the case and
set me straight.
Regards,
Larry

Re: IIS_WPG and NETWORK SERVICE

SBS2003 is "different again" from vanilla servers. In particular, it has
IIS6 running on the "Domain Controller" machine which causes the
"differences" that you are observing.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Larry" wrote in message
news:B9A38124-01C7-4EE6-9ADE-CF6E4FB67CBF@microsoft.com...
>I have an ASP.NET site hosted on an SBS 2003 server. The server is a day
>old
> and no changes have been made to IIS with respect to user rights, etc.
> I have configured IIS_WPG to have the rights necessary to access what
> needs
> to be accessed on my site folder. I have set this up many times before
> via
> the same script on non-SBS servers. However, the web app cannot
> manipulate
> the folder as it should be able to based on these rights. I have verified
> this by temporarily giving "everyone" full rights to the folder and the
> web
> app runs fine.
> I know that ASP.NET application is running in a pool where NETWORK SERVICE
> is the runtime context:
> System.Security.Principal.WindowsIdentity.GetCurrent().Name = NT
> AUTHORITY\NETWORK SERVICE
>
> I have read a couple articles that explain that on a fresh install of IIS
> 6,
> "NETWORK SERVICE" should be a member of IIS_WPG. Well, on my new install,
> it
> is not.
> So, I opened up the DefaultAppPools node of IIS Mgr and opened the IIS_WPG
> Properties and at the "Members" tab, no "NETWORK SERVICE" in the list.
> There
> is IWAM_machinename, and "SharePoint...bla.bla.". I attempt to add
> "NETWORK
> SERVICE", but it does not appear to be a user that can be selected from
> Active Directory.
> I am stuck at this point because either the OS has a bug, SBS 2003 is
> "different again" from vanilla servers, the MSDN article is wrong, or I'm
> seeing things.
> I will be greatly appreciative if someone can tell me which is the case
> and
> set me straight.
> Regards,
> Larry

Re: IIS_WPG and NETWORK SERVICE

Hi,

Network Service should be available from the drop-down list of preconfigured
identities (along with Local System and Local Service). I just checked on my
SBS2003 box.

What are the exact preconfigured identities that you are seeing?

Cheers
Ken


"Larry" wrote in message
news:B9A38124-01C7-4EE6-9ADE-CF6E4FB67CBF@microsoft.com...
:I have an ASP.NET site hosted on an SBS 2003 server. The server is a day
old
: and no changes have been made to IIS with respect to user rights, etc.
: I have configured IIS_WPG to have the rights necessary to access what
needs
: to be accessed on my site folder. I have set this up many times before
via
: the same script on non-SBS servers. However, the web app cannot
manipulate
: the folder as it should be able to based on these rights. I have verified
: this by temporarily giving "everyone" full rights to the folder and the
web
: app runs fine.
: I know that ASP.NET application is running in a pool where NETWORK SERVICE
: is the runtime context:
: System.Security.Principal.WindowsIdentity.GetCurrent().Name = NT
: AUTHORITY\NETWORK SERVICE
:
: I have read a couple articles that explain that on a fresh install of IIS
6,
: "NETWORK SERVICE" should be a member of IIS_WPG. Well, on my new install,
it
: is not.
: So, I opened up the DefaultAppPools node of IIS Mgr and opened the IIS_WPG
: Properties and at the "Members" tab, no "NETWORK SERVICE" in the list.
There
: is IWAM_machinename, and "SharePoint...bla.bla.". I attempt to add
"NETWORK
: SERVICE", but it does not appear to be a user that can be selected from
: Active Directory.
: I am stuck at this point because either the OS has a bug, SBS 2003 is
: "different again" from vanilla servers, the MSDN article is wrong, or I'm
: seeing things.
: I will be greatly appreciative if someone can tell me which is the case
and
: set me straight.
: Regards,
: Larry

Re: IIS_WPG and NETWORK SERVICE

I really looked hard. There is no way to get NETWORK SERVICE to be a member
of the group. It will not appear in the list of users/group when trying to
add it to the IIS_WPG group, and you cannot type it in.

Per David Wang's response, I would guess that this has been disabled on a
later (or earlier?) version of SBS2003 than you have. This is probably the
result of a security patch at some point.

MSFT really makes our lives easy, huh?

Thanks,
Larry

"Ken Schaefer" wrote:

> Hi,
>
> Network Service should be available from the drop-down list of preconfigured
> identities (along with Local System and Local Service). I just checked on my
> SBS2003 box.
>
> What are the exact preconfigured identities that you are seeing?
>
> Cheers
> Ken
>
>
> "Larry" wrote in message
> news:B9A38124-01C7-4EE6-9ADE-CF6E4FB67CBF@microsoft.com...
> :I have an ASP.NET site hosted on an SBS 2003 server. The server is a day
> old
> : and no changes have been made to IIS with respect to user rights, etc.
> : I have configured IIS_WPG to have the rights necessary to access what
> needs
> : to be accessed on my site folder. I have set this up many times before
> via
> : the same script on non-SBS servers. However, the web app cannot
> manipulate
> : the folder as it should be able to based on these rights. I have verified
> : this by temporarily giving "everyone" full rights to the folder and the
> web
> : app runs fine.
> : I know that ASP.NET application is running in a pool where NETWORK SERVICE
> : is the runtime context:
> : System.Security.Principal.WindowsIdentity.GetCurrent().Name = NT
> : AUTHORITY\NETWORK SERVICE
> :
> : I have read a couple articles that explain that on a fresh install of IIS
> 6,
> : "NETWORK SERVICE" should be a member of IIS_WPG. Well, on my new install,
> it
> : is not.
> : So, I opened up the DefaultAppPools node of IIS Mgr and opened the IIS_WPG
> : Properties and at the "Members" tab, no "NETWORK SERVICE" in the list.
> There
> : is IWAM_machinename, and "SharePoint...bla.bla.". I attempt to add
> "NETWORK
> : SERVICE", but it does not appear to be a user that can be selected from
> : Active Directory.
> : I am stuck at this point because either the OS has a bug, SBS 2003 is
> : "different again" from vanilla servers, the MSDN article is wrong, or I'm
> : seeing things.
> : I will be greatly appreciative if someone can tell me which is the case
> and
> : set me straight.
> : Regards,
> : Larry
>
>
>

Re: IIS_WPG and NETWORK SERVICE

What are you talking about? I am asking you to locate the relevent Web App
Pool in your IIS Manager, right-click choose Properties, and go to the
"Identity" tab. In the "Preconfigured" drop-down list, what options are
available? You said that Network Service was not listed, and that three was
an account "Sharpoint bla bla". What other accounts are listed there?

In terms of adding Network Service to IIS_WPG - that's not possible AFAIK.
That's got nothing to do with a security patch. It's because Network Service
is treated as a foreign security principal from an external trusted domain,
not from your AD domain. However I will ask to see if this is possible to
do.

Cheers
Ken

"Larry" wrote in message
news:337F3F8E-DA93-40FC-9EC6-D5B6CF4F7167@microsoft.com...
:I really looked hard. There is no way to get NETWORK SERVICE to be a
member
: of the group. It will not appear in the list of users/group when trying
to
: add it to the IIS_WPG group, and you cannot type it in.
:
: Per David Wang's response, I would guess that this has been disabled on a
: later (or earlier?) version of SBS2003 than you have. This is probably
the
: result of a security patch at some point.
:
: MSFT really makes our lives easy, huh?
:
: Thanks,
: Larry
:
: "Ken Schaefer" wrote:
:
: > Hi,
: >
: > Network Service should be available from the drop-down list of
preconfigured
: > identities (along with Local System and Local Service). I just checked
on my
: > SBS2003 box.
: >
: > What are the exact preconfigured identities that you are seeing?
: >
: > Cheers
: > Ken
: >
: >
: > "Larry" wrote in message
: > news:B9A38124-01C7-4EE6-9ADE-CF6E4FB67CBF@microsoft.com...
: > :I have an ASP.NET site hosted on an SBS 2003 server. The server is a
day
: > old
: > : and no changes have been made to IIS with respect to user rights, etc.
: > : I have configured IIS_WPG to have the rights necessary to access what
: > needs
: > : to be accessed on my site folder. I have set this up many times
before
: > via
: > : the same script on non-SBS servers. However, the web app cannot
: > manipulate
: > : the folder as it should be able to based on these rights. I have
verified
: > : this by temporarily giving "everyone" full rights to the folder and
the
: > web
: > : app runs fine.
: > : I know that ASP.NET application is running in a pool where NETWORK
SERVICE
: > : is the runtime context:
: > : System.Security.Principal.WindowsIdentity.GetCurrent().Name = NT
: > : AUTHORITY\NETWORK SERVICE
: > :
: > : I have read a couple articles that explain that on a fresh install of
IIS
: > 6,
: > : "NETWORK SERVICE" should be a member of IIS_WPG. Well, on my new
install,
: > it
: > : is not.
: > : So, I opened up the DefaultAppPools node of IIS Mgr and opened the
IIS_WPG
: > : Properties and at the "Members" tab, no "NETWORK SERVICE" in the list.
: > There
: > : is IWAM_machinename, and "SharePoint...bla.bla.". I attempt to add
: > "NETWORK
: > : SERVICE", but it does not appear to be a user that can be selected
from
: > : Active Directory.
: > : I am stuck at this point because either the OS has a bug, SBS 2003 is
: > : "different again" from vanilla servers, the MSDN article is wrong, or
I'm
: > : seeing things.
: > : I will be greatly appreciative if someone can tell me which is the
case
: > and
: > : set me straight.
: > : Regards,
: > : Larry
: >
: >
: >

Re: IIS_WPG and NETWORK SERVICE

Thanks Ken, please read inline...

> What are you talking about?

Go to AD - Users & Computers
open IIS_WPG
click the "Members" tab.
---->Can't add "NETWORK SERVICE"
I can do this in Win2003 - non SBS flavors.

> I am asking you to locate the relevent Web App
> Pool in your IIS Manager, right-click choose Properties, and go to the
> "Identity" tab. In the "Preconfigured" drop-down list, what options are
> available?

Yes, I was aware of this and I see what you are probably seeing -

network service
local service
local system

Currently, "network service" is selected and I believe was the default since
I never changed it.
>
> In terms of adding Network Service to IIS_WPG - that's not possible AFAIK.

It is possible (and the default I think) on Win2003 - non SBS.
Also, what does AFAIK mean?

> That's got nothing to do with a security patch. It's because Network Service
> is treated as a foreign security principal from an external trusted domain,
> not from your AD domain.

I wish I fully understood that statement...:)
Also, another network admin told me that on another install of SBS2003 that
"network service" WAS a member of IIS_WPG, which is why I was wondering if
there was a change or he was seeing things.

>However I will ask to see if this is possible to do.

This is exactly what I was describing - how it's seemingly impossible to do
this.
>
> Cheers
> Ken
>

Thank you for your time!
-Larry

Re: IIS_WPG and NETWORK SERVICE

"Larry" wrote in message
news:DD42A1FD-86B7-4A28-AE59-5FB1426ECFF2@microsoft.com...
: Thanks Ken, please read inline...
:
: > What are you talking about?
:
: Go to AD - Users & Computers
: open IIS_WPG
: click the "Members" tab.
: ---->Can't add "NETWORK SERVICE"
: I can do this in Win2003 - non SBS flavors.


Can you do this on a Windows 2003 *Domain Controller*? I wasn't aware that
you could. You should be able to do this on a Windows 2003 member server.



: > I am asking you to locate the relevent Web App
: > Pool in your IIS Manager, right-click choose Properties, and go to the
: > "Identity" tab. In the "Preconfigured" drop-down list, what options are
: > available?
:
: Yes, I was aware of this and I see what you are probably seeing -
:
: network service
: local service
: local system
:
: Currently, "network service" is selected and I believe was the default
since
: I never changed it.
: >
: > In terms of adding Network Service to IIS_WPG - that's not possible
AFAIK.
:
: It is possible (and the default I think) on Win2003 - non SBS.
: Also, what does AFAIK mean?

AFAIK - As far as I know.


: > That's got nothing to do with a security patch. It's because Network
Service
: > is treated as a foreign security principal from an external trusted
domain,
: > not from your AD domain.
:
: I wish I fully understood that statement...:)
: Also, another network admin told me that on another install of SBS2003
that
: "network service" WAS a member of IIS_WPG, which is why I was wondering if
: there was a change or he was seeing things.

Network Service should be part of the IIS_WPG group - I checked on my
SBS2003 box.

Cheers
Ken

Re: IIS_WPG and NETWORK SERVICE

"Ken Schaefer" wrote:

> "Larry" wrote in message
> news:DD42A1FD-86B7-4A28-AE59-5FB1426ECFF2@microsoft.com...
> : Thanks Ken, please read inline...
> :
> : > What are you talking about?
> :
> : Go to AD - Users & Computers
> : open IIS_WPG
> : click the "Members" tab.
> : ---->Can't add "NETWORK SERVICE"
> : I can do this in Win2003 - non SBS flavors.
>
>
> Can you do this on a Windows 2003 *Domain Controller*? I wasn't aware that
> you could. You should be able to do this on a Windows 2003 member server.
>
>

My test Win2003 box is not a domain controller.

>
> : > I am asking you to locate the relevent Web App
> : > Pool in your IIS Manager, right-click choose Properties, and go to the
> : > "Identity" tab. In the "Preconfigured" drop-down list, what options are
> : > available?
> :
> : Yes, I was aware of this and I see what you are probably seeing -
> :
> : network service
> : local service
> : local system
> :
> : Currently, "network service" is selected and I believe was the default
> since
> : I never changed it.
> : >
> : > In terms of adding Network Service to IIS_WPG - that's not possible
> AFAIK.
> :
> : It is possible (and the default I think) on Win2003 - non SBS.
> : Also, what does AFAIK mean?
>
> AFAIK - As far as I know.
>
>
> : > That's got nothing to do with a security patch. It's because Network
> Service
> : > is treated as a foreign security principal from an external trusted
> domain,
> : > not from your AD domain.
> :
> : I wish I fully understood that statement...:)
> : Also, another network admin told me that on another install of SBS2003
> that
> : "network service" WAS a member of IIS_WPG, which is why I was wondering if
> : there was a change or he was seeing things.
>
> Network Service should be part of the IIS_WPG group - I checked on my
> SBS2003 box.
>

hmmm... it's not on this SBS2003 box...but it was on another, and it is on
yours, and I can't add it...
oh well, there seems to be no clear answer.

Perhaps a Microsoft expert can explain why the variation exists, now that
it's been proven I am not seeing things.

Thanks,
Larry

Re: IIS_WPG and NETWORK SERVICE

"Larry" wrote in message
news:27A1CF63-815D-483D-AFAE-7236D8D1E9AA@microsoft.com...
:
: > "Larry" wrote in message
: > news:DD42A1FD-86B7-4A28-AE59-5FB1426ECFF2@microsoft.com...
: > : Thanks Ken, please read inline...
: > :
: > : > What are you talking about?
: > :
: > : Go to AD - Users & Computers
: > : open IIS_WPG
: > : click the "Members" tab.
: > : ---->Can't add "NETWORK SERVICE"
: > : I can do this in Win2003 - non SBS flavors.
: >
: >
: > Can you do this on a Windows 2003 *Domain Controller*? I wasn't aware
that
: > you could. You should be able to do this on a Windows 2003 member
server.
: >
: >
:
: My test Win2003 box is not a domain controller.

I suspected as much. The reason you can't add Network Service to IIS_WPG on
your SBS2003 box is because it is a Domain Controller, not because it's an
SBS2003 box.


\: > : > That's got nothing to do with a security patch. It's because
Network
: > Service
: > : > is treated as a foreign security principal from an external trusted
: > domain,
: > : > not from your AD domain.
: > :
: > : I wish I fully understood that statement...:)
: > : Also, another network admin told me that on another install of SBS2003
: > that
: > : "network service" WAS a member of IIS_WPG, which is why I was
wondering if
: > : there was a change or he was seeing things.
: >
: > Network Service should be part of the IIS_WPG group - I checked on my
: > SBS2003 box.
: >
:
: hmmm... it's not on this SBS2003 box...but it was on another, and it is on
: yours, and I can't add it...
: oh well, there seems to be no clear answer.
:
: Perhaps a Microsoft expert can explain why the variation exists, now that
: it's been proven I am not seeing things.

well, if you remove Network Service from the IIS_WPG group, then you won't
be able to add it back in. Or perhaps some error occured during setup, and
it was never added in the first place.

I tried using ADSIEdit to alter the "memberOf" property of the Network
Service account, but you get an error saying that this property is owned by
the System, and can't be modified. Perhaps if you run a script under the
LocalSystem account, you may be able to update the memberOf property of
Network Service, so as to be able to add it to non-built-in Domain Local
groups.

Cheers
Ken

:
: Thanks,
: Larry

Re: IIS_WPG and NETWORK SERVICE

I appreciate your insight and help!
Thanks
Larry