Standalone servers and user accounts.

In using network load balancing, I have a non-AD group of servers and a
shared resource between 2 webs. All running Windows 2003 SP1.

The problem I am running into is using the shared resources off of the Share
server and managing user accounts. Throughout hundreds of websites, people
are writing to this shared resource. I contimplated setting the
Network_Services user account to the same password, hoping that it would
allow the writes to the UNC share from the web servers, but am a bit nervous
about changing any of the passwords.

Is it best to try to sync the passwords between the 3 servers or setting up
a new user account and assigning it to the share and running IIS from that
one? (seems more difficult than changing the passwords to be the same.)

I can't control where my users put code to upload files, so, I pretty much
need to sync network_services between the disconnected servers or create a
new user account and run IIS under it.

Thoughts?

Re: Standalone servers and user accounts.

If it were me, I wouldn't mess around with the network service user. I
would create a new user and set the application pools to use that user
(under identity tab). That user would need to be on all the servers with
the same password, as you know and also needs to be a member of the IIS_WPG
group.

I'm assuming you know that is the network service that needs the permissions
since you mentioned that user, if you have impersonation turned on, often I
find that the user that needs the permissions is the anonymous iusr that the
site runs under.

--
Rick Barber

http://www.orcsweb.com
Managed Complex Hosting
#1 in Service and Support

"Kevin A" wrote in message
news:eTowDtMFIHA.5044@TK2MSFTNGP03.phx.gbl...
> In using network load balancing, I have a non-AD group of servers and a
> shared resource between 2 webs. All running Windows 2003 SP1.
>
> The problem I am running into is using the shared resources off of the
> Share
> server and managing user accounts. Throughout hundreds of websites,
> people
> are writing to this shared resource. I contimplated setting the
> Network_Services user account to the same password, hoping that it would
> allow the writes to the UNC share from the web servers, but am a bit
> nervous
> about changing any of the passwords.
>
> Is it best to try to sync the passwords between the 3 servers or setting
> up
> a new user account and assigning it to the share and running IIS from that
> one? (seems more difficult than changing the passwords to be the same.)
>
> I can't control where my users put code to upload files, so, I pretty much
> need to sync network_services between the disconnected servers or create a
> new user account and run IIS under it.
>
> Thoughts?
>
>
>

Re: Standalone servers and user accounts.

Sorry, so, I basically would end up running everything under this newly
created user? I'm just a tad confused on the personate user account.

Any other special user assignments?
"Kevin A" wrote in message
news:eTowDtMFIHA.5044@TK2MSFTNGP03.phx.gbl...
> In using network load balancing, I have a non-AD group of servers and a
> shared resource between 2 webs. All running Windows 2003 SP1.
>
> The problem I am running into is using the shared resources off of the
> Share
> server and managing user accounts. Throughout hundreds of websites,
> people
> are writing to this shared resource. I contimplated setting the
> Network_Services user account to the same password, hoping that it would
> allow the writes to the UNC share from the web servers, but am a bit
> nervous
> about changing any of the passwords.
>
> Is it best to try to sync the passwords between the 3 servers or setting
> up
> a new user account and assigning it to the share and running IIS from that
> one? (seems more difficult than changing the passwords to be the same.)
>
> I can't control where my users put code to upload files, so, I pretty much
> need to sync network_services between the disconnected servers or create a
> new user account and run IIS under it.
>
> Thoughts?
>
>
>

Re: Standalone servers and user accounts.

Make sure that you have added that user to the IIS_WPG group on the server,
that will give it the proper access that it needs, then you set the identity
of the application pool to use that user. You could also have that user be
the anonymous user for your sites. We run our webfarm sites like that
although they are all now AD accounts.

--
Rick Barber

http://www.orcsweb.com
Managed Complex Hosting
#1 in Service and Support

"Kevin A" wrote in message
news:uJEXPfVFIHA.4772@TK2MSFTNGP02.phx.gbl...
> Sorry, so, I basically would end up running everything under this newly
> created user? I'm just a tad confused on the personate user account.
>
> Any other special user assignments?
> "Kevin A" wrote in message
> news:eTowDtMFIHA.5044@TK2MSFTNGP03.phx.gbl...
>> In using network load balancing, I have a non-AD group of servers and a
>> shared resource between 2 webs. All running Windows 2003 SP1.
>>
>> The problem I am running into is using the shared resources off of the
>> Share
>> server and managing user accounts. Throughout hundreds of websites,
>> people
>> are writing to this shared resource. I contimplated setting the
>> Network_Services user account to the same password, hoping that it would
>> allow the writes to the UNC share from the web servers, but am a bit
>> nervous
>> about changing any of the passwords.
>>
>> Is it best to try to sync the passwords between the 3 servers or setting
>> up
>> a new user account and assigning it to the share and running IIS from
>> that
>> one? (seems more difficult than changing the passwords to be the same.)
>>
>> I can't control where my users put code to upload files, so, I pretty
>> much
>> need to sync network_services between the disconnected servers or create
>> a
>> new user account and run IIS under it.
>>
>> Thoughts?
>>
>>
>>
>
>

Re: Standalone servers and user accounts.

So,

You are running the app pool AND the anonymous user as a created account?
When I changed the anonymous user to a created account, it kept prompting me
for a username and password when trying to open the site.


"Rick Barber" wrote in message
news:elwfE%23aFIHA.4748@TK2MSFTNGP06.phx.gbl...
> Make sure that you have added that user to the IIS_WPG group on the
> server, that will give it the proper access that it needs, then you set
> the identity of the application pool to use that user. You could also
> have that user be the anonymous user for your sites. We run our webfarm
> sites like that although they are all now AD accounts.
>
> --
> Rick Barber
>
> http://www.orcsweb.com
> Managed Complex Hosting
> #1 in Service and Support
>
> "Kevin A" wrote in message
> news:uJEXPfVFIHA.4772@TK2MSFTNGP02.phx.gbl...
>> Sorry, so, I basically would end up running everything under this newly
>> created user? I'm just a tad confused on the personate user account.
>>
>> Any other special user assignments?
>> "Kevin A" wrote in message
>> news:eTowDtMFIHA.5044@TK2MSFTNGP03.phx.gbl...
>>> In using network load balancing, I have a non-AD group of servers and a
>>> shared resource between 2 webs. All running Windows 2003 SP1.
>>>
>>> The problem I am running into is using the shared resources off of the
>>> Share
>>> server and managing user accounts. Throughout hundreds of websites,
>>> people
>>> are writing to this shared resource. I contimplated setting the
>>> Network_Services user account to the same password, hoping that it would
>>> allow the writes to the UNC share from the web servers, but am a bit
>>> nervous
>>> about changing any of the passwords.
>>>
>>> Is it best to try to sync the passwords between the 3 servers or setting
>>> up
>>> a new user account and assigning it to the share and running IIS from
>>> that
>>> one? (seems more difficult than changing the passwords to be the same.)
>>>
>>> I can't control where my users put code to upload files, so, I pretty
>>> much
>>> need to sync network_services between the disconnected servers or create
>>> a
>>> new user account and run IIS under it.
>>>
>>> Thoughts?
>>>
>>>
>>>
>>
>>
>
>

Re: Standalone servers and user accounts.

Don't forget that if you change users from the default users, those users
also need NTFS permissions to your website home directory. It sounds to me
like even though you are using a custom anonymous user now, that user
doesn't have the proper permissions to the folder where your site is
located. For us this is on a separate partition so a user can't fill up the
hard drive and cause the OS to crash.

Event Viewer -> Security should lead you to the same information that I gave
above, especially if you have auditing setup properly on your machine.

--
Rick Barber

http://www.orcsweb.com
Managed Complex Hosting
#1 in Service and Support

"Kevin A" wrote in message
news:e7jRyFiFIHA.1184@TK2MSFTNGP04.phx.gbl...
> So,
>
> You are running the app pool AND the anonymous user as a created account?
> When I changed the anonymous user to a created account, it kept prompting
> me for a username and password when trying to open the site.
>
>
> "Rick Barber" wrote in message
> news:elwfE%23aFIHA.4748@TK2MSFTNGP06.phx.gbl...
>> Make sure that you have added that user to the IIS_WPG group on the
>> server, that will give it the proper access that it needs, then you set
>> the identity of the application pool to use that user. You could also
>> have that user be the anonymous user for your sites. We run our webfarm
>> sites like that although they are all now AD accounts.
>>
>> --
>> Rick Barber
>>
>> http://www.orcsweb.com
>> Managed Complex Hosting
>> #1 in Service and Support
>>
>> "Kevin A" wrote in message
>> news:uJEXPfVFIHA.4772@TK2MSFTNGP02.phx.gbl...
>>> Sorry, so, I basically would end up running everything under this newly
>>> created user? I'm just a tad confused on the personate user account.
>>>
>>> Any other special user assignments?
>>> "Kevin A" wrote in message
>>> news:eTowDtMFIHA.5044@TK2MSFTNGP03.phx.gbl...
>>>> In using network load balancing, I have a non-AD group of servers and a
>>>> shared resource between 2 webs. All running Windows 2003 SP1.
>>>>
>>>> The problem I am running into is using the shared resources off of the
>>>> Share
>>>> server and managing user accounts. Throughout hundreds of websites,
>>>> people
>>>> are writing to this shared resource. I contimplated setting the
>>>> Network_Services user account to the same password, hoping that it
>>>> would
>>>> allow the writes to the UNC share from the web servers, but am a bit
>>>> nervous
>>>> about changing any of the passwords.
>>>>
>>>> Is it best to try to sync the passwords between the 3 servers or
>>>> setting up
>>>> a new user account and assigning it to the share and running IIS from
>>>> that
>>>> one? (seems more difficult than changing the passwords to be the
>>>> same.)
>>>>
>>>> I can't control where my users put code to upload files, so, I pretty
>>>> much
>>>> need to sync network_services between the disconnected servers or
>>>> create a
>>>> new user account and run IIS under it.
>>>>
>>>> Thoughts?
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>