Service Account replaced by IUSR ??

Service Account replaced by IUSR ??

am 18.06.2007 14:31:38 von Erwin

Hi,
Could anyone help me with this.
I am testing a .Net 2 application that creates a user in AD. It also has
to create a shared folder on a remote server.
I'm testing this on a Windows SBS 2003 machine, taking the same server
as "remote" server, by using the UNC path when creating the directory.

Now, in order to avoid impersonation I did the following :
- create a service account, register it in AD using the setspn.exe tool
described in the article
http://msdn2.microsoft.com/en-us/library/ms998358.aspx.
- giving the service account administrator rights (only for testing
purposes, this will be graded down in production)
- checking the "trust account for delegation" option in the account
- create a separate application pool in IIS 6 only for this application.
- setting the identity for this AppPool to the newly created user
Of course, the following configurations are also set :
- in the IIS 6 web, anonymous access is switched off, using integrated
authentication
- in web.config of application authentication is set to Windows
- also IE is enabled to authenticate


So far, everything works fine, and I succeed in creating the user in AD.
But the application breaks down when I want to create the folder, for
the reason that the app doesn't have access rights to the folder.
It will only work when I use impersonation :
- either to the specially created service account
- or to the web user, if he has administrator rights.

But the whole idea of creating a service account was to avoid
impersonation !

I decided to audit the parent directory in which the user directories
should be created. And this is what I got as event (I snipped some
lines for briefness) :

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
User: NT AUTHORITY\SYSTEM
Computer: MYSERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: IUSR_MYSERVER
Domain: IQS
Logon Type: 8
Logon Process: Advapi Authentication Package: Negotiate
Workstation Name: MYSERVER
Caller User Name: adtester

What boggles my mind is that the user is still IUSR_MYSERVER in stead of
the specially created service account "adtester" !

Do you have any idea what's going on here or am I missing something ?

Thanks !

Re: Service Account replaced by IUSR ??

am 18.06.2007 18:33:06 von Erwin

Please disregard. This issue resolved itself quite mysteriously.


Erwin wrote:
> Hi,
> Could anyone help me with this.
> I am testing a .Net 2 application that creates a user in AD. It also has
> to create a shared folder on a remote server.
> I'm testing this on a Windows SBS 2003 machine, taking the same server
> as "remote" server, by using the UNC path when creating the directory.
>
> Now, in order to avoid impersonation I did the following :
> - create a service account, register it in AD using the setspn.exe tool
> described in the article
> http://msdn2.microsoft.com/en-us/library/ms998358.aspx.
> - giving the service account administrator rights (only for testing
> purposes, this will be graded down in production)
> - checking the "trust account for delegation" option in the account
> - create a separate application pool in IIS 6 only for this application.
> - setting the identity for this AppPool to the newly created user
> Of course, the following configurations are also set :
> - in the IIS 6 web, anonymous access is switched off, using integrated
> authentication
> - in web.config of application authentication is set to Windows
> - also IE is enabled to authenticate
>
>
> So far, everything works fine, and I succeed in creating the user in AD.
> But the application breaks down when I want to create the folder, for
> the reason that the app doesn't have access rights to the folder.
> It will only work when I use impersonation :
> - either to the specially created service account
> - or to the web user, if he has administrator rights.
>
> But the whole idea of creating a service account was to avoid
> impersonation !
>
> I decided to audit the parent directory in which the user directories
> should be created. And this is what I got as event (I snipped some
> lines for briefness) :
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> User: NT AUTHORITY\SYSTEM
> Computer: MYSERVER
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: IUSR_MYSERVER
> Domain: IQS
> Logon Type: 8
> Logon Process: Advapi Authentication Package: Negotiate
> Workstation Name: MYSERVER
> Caller User Name: adtester
>
> What boggles my mind is that the user is still IUSR_MYSERVER in stead of
> the specially created service account "adtester" !
>
> Do you have any idea what's going on here or am I missing something ?
>
> Thanks !
>
>
>