IIS 6 - change Windows Service account doesn"t work

IIS 6 - change Windows Service account doesn"t work

am 22.11.2007 09:30:04 von KE

Hi all,

We have an application which runs on IIS and get some files from the
fileserver via the IIS. Currently the IIS windows service account is "local
system". As far as I know, if the IIS windows service account is running
under "local system" integrated security is active. That means, the user who
works with our application is getting the files from the fileserver trough
the IIS, based on his credentials.
My intention is to go away from the integrated security. I think the best
way is that we implement a technical account and run the IIS windows service
account under this account. That would me that the IIS would get the files
from the fileserver through the IIS under the credentials of the technical
account. Is that idea correct?

I tried alredy to change the IIS windows service account to such a technical
account, but I got a error message as soon as I restarted the IIS windows
service. Why? How about the related services?

Many thanks for you help in advance.

Best regards,
KE

Re: IIS 6 - change Windows Service account doesn"t work

am 22.11.2007 15:57:10 von David Wang

On Nov 22, 12:30 am, KE wrote:
> Hi all,
>
> We have an application which runs on IIS and get some files from the
> fileserver via the IIS. Currently the IIS windows service account is "local
> system". As far as I know, if the IIS windows service account is running
> under "local system" integrated security is active. That means, the user who
> works with our application is getting the files from the fileserver trough
> the IIS, based on his credentials.
> My intention is to go away from the integrated security. I think the best
> way is that we implement a technical account and run the IIS windows service
> account under this account. That would me that the IIS would get the files
> from the fileserver through the IIS under the credentials of the technical
> account. Is that idea correct?
>
> I tried alredy to change the IIS windows service account to such a technical
> account, but I got a error message as soon as I restarted the IIS windows
> service. Why? How about the related services?
>
> Many thanks for you help in advance.
>
> Best regards,
> KE



Your idea is fine at a high-level, but you are mixing many things
together and coming to the wrong conclusions and improper technical
actions.

It sounds like what you want is for the application to access the
remote fileshare using one technical user identity no matter which
user remotely accesses the application. i.e .you want to do a many-to-
one mapping of user identity.

There are *many* ways to do this, depending on the configuration and
requirements of the application. IIS6 supports them as varied as the
applications themselves.

1. If your application runs with the impersonated user identity, you
can configure only anonymous authentication, and configure the
anonymous user identity to be a user that can access the remote
fileshare.
2. If your application runs with the process user identity, you can
configure the Application Pool identity for that application to be a
user that can access the remote fileshare

There are many other variations of the same basic idea, depending on
your application's abilities, which you have not described, so I
cannot recommend any concrete advice.

However, what is DEFINITELY wrong in all cases is to change the IIS
windows service account inside of the Windows "Services" applet.
Changing those service accounts have NO effect on the user account
used by IIS to execute your application, not to mention the change is
unsupported and does not work (as you have found out). Please revert
your changes IMMEDIATELY and never change any service account users
again.

FYI: If you change the identity for the wrong service, Windows may not
boot, allow network access, or allow you to login, causing
irrecoverable data loss that is self-inflicted. Be careful.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: IIS 6 - change Windows Service account doesn"t work

am 27.11.2007 08:19:01 von KE

Hi David,

Many thanks for your explanation and suggestion. Now, everything works fine.
BTW - Now, I understand the IIS anonymous/personated authentication more
detailed ;-)

Best regards,
KE



"David Wang" wrote:

> On Nov 22, 12:30 am, KE wrote:
> > Hi all,
> >
> > We have an application which runs on IIS and get some files from the
> > fileserver via the IIS. Currently the IIS windows service account is "local
> > system". As far as I know, if the IIS windows service account is running
> > under "local system" integrated security is active. That means, the user who
> > works with our application is getting the files from the fileserver trough
> > the IIS, based on his credentials.
> > My intention is to go away from the integrated security. I think the best
> > way is that we implement a technical account and run the IIS windows service
> > account under this account. That would me that the IIS would get the files
> > from the fileserver through the IIS under the credentials of the technical
> > account. Is that idea correct?
> >
> > I tried alredy to change the IIS windows service account to such a technical
> > account, but I got a error message as soon as I restarted the IIS windows
> > service. Why? How about the related services?
> >
> > Many thanks for you help in advance.
> >
> > Best regards,
> > KE
>
>
>
> Your idea is fine at a high-level, but you are mixing many things
> together and coming to the wrong conclusions and improper technical
> actions.
>
> It sounds like what you want is for the application to access the
> remote fileshare using one technical user identity no matter which
> user remotely accesses the application. i.e .you want to do a many-to-
> one mapping of user identity.
>
> There are *many* ways to do this, depending on the configuration and
> requirements of the application. IIS6 supports them as varied as the
> applications themselves.
>
> 1. If your application runs with the impersonated user identity, you
> can configure only anonymous authentication, and configure the
> anonymous user identity to be a user that can access the remote
> fileshare.
> 2. If your application runs with the process user identity, you can
> configure the Application Pool identity for that application to be a
> user that can access the remote fileshare
>
> There are many other variations of the same basic idea, depending on
> your application's abilities, which you have not described, so I
> cannot recommend any concrete advice.
>
> However, what is DEFINITELY wrong in all cases is to change the IIS
> windows service account inside of the Windows "Services" applet.
> Changing those service accounts have NO effect on the user account
> used by IIS to execute your application, not to mention the change is
> unsupported and does not work (as you have found out). Please revert
> your changes IMMEDIATELY and never change any service account users
> again.
>
> FYI: If you change the identity for the wrong service, Windows may not
> boot, allow network access, or allow you to login, causing
> irrecoverable data loss that is self-inflicted. Be careful.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>