ASPNET_WP.EXE
am 05.09.2007 20:06:03 von walid
Hello:
I need some help as to how the aspnet_wp.exe works. I have to migrate a
website to Windows Server 2003 from a Windows 2000 server. I see that the
aspnet_wp.exe is running under a domain user account in the task manager on
the windows 2000 box. How do I configure aspnet_wp.exe to user that account?
Also, how does the ASPNET_WP.EXE start as I don't see it running in my 2003
box?
I would really appreciate some insight on this.
THanks,
Walid
Re: ASPNET_WP.EXE
am 06.09.2007 04:03:35 von Ken Schaefer
aspnet_wp.exe is no longer used in IIS 6.0 (unless you configure it to run
in IIS 5.0 compatibility mode).
Instead, ASP.NET applications run inside w3wp.exe processes now. To change
the identity of the w3wp.exe process, use the web application pools node in
IIS Manager.
Cheers
Ken
--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
"Walid" wrote in message
news:61BAB287-A6DD-46E8-AA57-E1E98771E05E@microsoft.com...
> Hello:
> I need some help as to how the aspnet_wp.exe works. I have to migrate a
> website to Windows Server 2003 from a Windows 2000 server. I see that the
> aspnet_wp.exe is running under a domain user account in the task manager
> on
> the windows 2000 box. How do I configure aspnet_wp.exe to user that
> account?
> Also, how does the ASPNET_WP.EXE start as I don't see it running in my
> 2003
> box?
>
> I would really appreciate some insight on this.
>
> THanks,
>
> Walid
Re: ASPNET_WP.EXE
am 06.09.2007 16:24:04 von walid
Thank-you Ken!
What is the account under which the w3wp.exe should run? Is it safe to run
it under Network Service account? Is there a disadvantage to this? What
about a domain account? Is it better to run it undera domain account?
I would like to learn about the proper way of configuring application pools.
Any help would be appreciated!
Thanks,
Walid
"Ken Schaefer" wrote:
> aspnet_wp.exe is no longer used in IIS 6.0 (unless you configure it to run
> in IIS 5.0 compatibility mode).
>
> Instead, ASP.NET applications run inside w3wp.exe processes now. To change
> the identity of the w3wp.exe process, use the web application pools node in
> IIS Manager.
>
> Cheers
> Ken
>
> --
> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
>
> "Walid" wrote in message
> news:61BAB287-A6DD-46E8-AA57-E1E98771E05E@microsoft.com...
> > Hello:
> > I need some help as to how the aspnet_wp.exe works. I have to migrate a
> > website to Windows Server 2003 from a Windows 2000 server. I see that the
> > aspnet_wp.exe is running under a domain user account in the task manager
> > on
> > the windows 2000 box. How do I configure aspnet_wp.exe to user that
> > account?
> > Also, how does the ASPNET_WP.EXE start as I don't see it running in my
> > 2003
> > box?
> >
> > I would really appreciate some insight on this.
> >
> > THanks,
> >
> > Walid
>
>
Re: ASPNET_WP.EXE
am 08.09.2007 18:49:33 von Tiago Halm
Walid,
The account with which to configure the AppPool should be part of the local
IIS_WPG group. If you don't plan on using NETWORK_SERVICE or LOCAL_SYSTEM,
then be sure to add the new account to this group. This is a requirement due
to the security and user rights requirements of the accounts configured to
run AppPools. Afterwards, you can set NTFS ACLs ([R]ead and [E]xecute) for
that same group (IIS_WPG) saving you the management headache if you need to
change the account later on.
As for the account you should use, it depends on your authentication method.
# Anonymous
NETWORK_SERVICE is your best choice for the AppPool to follow the least
priviledge principle. The anonymous account (logged on locally on the
server) will be the credential used when accessing remote resources. Be sure
to set the NTFS ACLs to the anonymous account on the physical files.
# Basic Authentication
NETWORK_SERVICE is your best choice for the AppPool to follow the least
priviledge principle. The basic authentication account (logged on locally on
the server) whose credentials are given by the end user, will be the
credential used when accessing remote resources. Be sure to set the NTFS
ACLs to the anonymous account on the physical files.
# Windows Authentication + ASP
You're left with impersonation or delegation. Your best choice is still
NETWORK_SERVICE for the AppPool, and you should be using delegation in case
you need to access remote resources with Windows Authentication. Be sure to
set the NTFS ACLs to the authenticated accounts on the physical files.
# Windows Authentication + ASP.NET
You have more choices here. Either you use NETWORK_SERVICE for the AppPool
and set with delegation turned on. Be sure
to set the NTFS ACLs to the authenticated accounts on the physical files.
Or you use NETWORK_SERVICE for the AppPool and set
impersonate="true" userName="..." password="..." /> without delegation. You
can even encrypt this entry on set it on the root web.config. Be sure to set
the NTFS ACLs to the [userName="..." password="..."] account on the physical
files.
The final option is using a domain account for the AppPool, and setting
. This final option is when the AppPool
account will be the credential presented to the remote resource if using
Windows Authentication. Be sure to set the NTFS ACLs to the domain account
on the physical files.
All of the above is under the assumption that you need to access a remote
resource with Windows Authentication, for example, a SQL Server with NT
Authentication turned on.
NOTE: The NETWORK_SERVICE account, like the LOCAL_SYSTEM account are "well
known accounts" or "built-in accounts" with no password and not recognizable
outside the local box.
Tiago Halm