Re: App pool identity
- From: "Marc Gravell" <marc@xxxxxxxxxxxx>
- Date: Mon, 27 Mar 2006 10:43:50 +0100
Thank you for the input;
In your case, you are trying to use a different account because you wantActually, no we aren't; this is nothing to do with access to files (although
to
restrict that account to some files you're accessing on the file system
we are using the identity to provide access to the database, but that's a
few steps past the "Service Unavailable" failure).
All we are doing here is assigning identity to the app-pool to achieve a:
true application-isolation, b: allow for trusted access to the database, and
c: move the credentials outside of the visibility of the web application
(specifically, outside of web.config; even encrypted, the details are
transparent to anything inside the application).
Note that this should (by all accounts) work just fine; it has worked on
every server we have tried, and now it is failing as we attempt to implement
on the live system (d'oh!). Obviously something is breaking it, but we don't
know what (yet); a vanilla install with all patches, changes etc works fine.
Marc
"Pandurang Nayak" <pandurangATthinkingmsDOT(nospam)com> wrote in message
news:25104C76-5E71-4D69-AAE7-C86697E240F7@xxxxxxxxxxxxxxxx
I don't really know what the problem is at your end. But the general
practice
is to use either Anonymous Access or Windows Authentication to a web
service.
In your case, you are trying to use a different account because you want
to
restrict that account to some files you're accessing on the file system.
For
that, in the code that does the file system interaction, impersonate the
user
account you created and use that account while reading/accessing the
files.
That way, client to WS access remains with the IIS defaults and WS to file
access is controlled by the rights you have defined.
That might be a design you want to consider - relatively simpler to
configure and even more simpler to maintain if you wanted to move servers,
etc.
Regards,
Pandurang
--
blog: www.thinkingMS.com/pandurang
"Marc Gravell" wrote:
I want to run a web-service under a custom (least required priveleged,
but
with /some/ access) account -but all I get is service unavailable;
I have
* Created a new account
* Enabled logon as a service
* Added to the IIS_WPG group
* Ensured account has access to the relevant file system (read, list,
execute)
* Configured the app-pool to use the account
This doesn't fix it; even adding to the local administrators group
doesn't
help! However, running as the local administrator account *does* work.
So! Any idea what step I have missed?
Marc
.
- References:
- App pool identity
- From: Marc Gravell
- RE: App pool identity
- From: Pandurang Nayak
- App pool identity
- Prev by Date: inter filter communication.
- Next by Date: How to call a Web service from 'old' ASP?
- Previous by thread: RE: App pool identity
- Next by thread: Re: App pool identity
- Index(es):
Relevant Pages
|
