Application Pool

TheMSsForum.com: The Microsoft Software Forum

Hi all,

I,m trying to run a CGI server through Win2003 Server IIS but within
the application pool if I don't use the LOCAL SYSTEM in the Identity
tab then it doesn't work.
I have even tried to add a new user as a Local Administrator and
granted some domain restricted polices on the machine. Now my question
is, does any body know what level of access or default access right
the Local System Account has.

Please respond as I need to get this application up as soon as.

Thanks in advance.
Top

Re: Application Pool by David

David
Thu Feb 22 15:38:23 CST 2007

Are you saying that your CGI requires LocalSystem to function, or that
you are unable to run CGI with a custom user identity.

It all depends on what you want to do and your security requirements:
- If your CGI requires LocalSystem, then you have no choice.
- If you are trying to use a custom user identity, it needs two
specific public documented privileges for impersonation, or you can
make all CGIs run as Process Identity.

But for certain, just using any user, even Administrator, will not
work - the documentation says that.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Feb 22, 11:56 am, "Swagener" <riqb...@gmail.com> wrote:
> Hi all,
>
> I,m trying to run a CGI server through Win2003 Server IIS but within
> the application pool if I don't use the LOCAL SYSTEM in the Identity
> tab then it doesn't work.
> I have even tried to add a new user as a Local Administrator and
> granted some domain restricted polices on the machine. Now my question
> is, does any body know what level of access or default access right
> the Local System Account has.
>
> Please respond as I need to get this application up as soon as.
>
> Thanks in advance.


Top

RE: Application Pool by JackieJa

JackieJa
Thu Feb 22 15:43:13 CST 2007

When you run under a different account than LocalSystem, what error do you
get? The account is probably missing a permission. The LocalSystem
account pretty much has all permissions.


Thank you,

Jackie Jaynes [MSFT]
Microsoft IIS

Please do not send email directly to this alias. This
is our online account name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights
reserved.

Top

Re: Application Pool by Swagener

Swagener
Fri Feb 23 04:28:40 CST 2007

On 22 Feb, 21:38, "David Wang" <w3.4...@gmail.com> wrote:
> Are you saying that your CGI requires LocalSystem to function, or that
> you are unable to run CGI with a custom user identity.
>
> It all depends on what you want to do and your security requirements:
> - If your CGI requires LocalSystem, then you have no choice.
> - If you are trying to use a custom user identity, it needs two
> specific public documented privileges for impersonation, or you can
> make all CGIs run as Process Identity.
>
> But for certain, just using any user, even Administrator, will not
> work - the documentation says that.
>
> //Davidhttp://w3-4u.blogspot.comhttp://blogs.msdn.com/David.Wang
> //
>
> On Feb 22, 11:56 am, "Swagener" <riqb...@gmail.com> wrote:
>
>
>
> > Hi all,
>
> > I,m trying to run a CGI server through Win2003 Server IIS but within
> > the application pool if I don't use the LOCAL SYSTEM in the Identity
> > tab then it doesn't work.
> > I have even tried to add a new user as a Local Administrator and
> > granted some domain restricted polices on the machine. Now my question
> > is, does any body know what level of access or default access right
> > the Local System Account has.
>
> > Please respond as I need to get this application up as soon as.
>
> > Thanks in advance.- Hide quoted text -
>
> - Show quoted text -

Hi David,

Thanks for reply first of all.

And No the cgi doesn't require Local System Account to run as I have
tried and installed it on other servers with a Network Service Account
and it did work without any problems.
Using the Local System account continuously is not an option because
the company policy is to create a new account in the Active Dir and
provide the privilege it requires on local machine then put the
password in the safe (A Password Encryption APP).

Any Ideas?


Top

Re: Application Pool by Swagener

Swagener
Fri Feb 23 04:36:45 CST 2007

On 22 Feb, 21:43, JackieJa@onl...@microsoft.com (Jacqueline Jaynes
[MSFT]) wrote:
> When you run under a different account than LocalSystem, what error do you
> get? The account is probably missing a permission. The LocalSystem
> account pretty much has all permissions. =20
>
> Thank you,
>
> Jackie Jaynes [MSFT]
> Microsoft IIS
>
> Please do not send email directly to this alias. This
> is our online account name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers no right=
s=2E
> You assume all risk for your use. =A9 2001 Microsoft Corporation. All ri=
ghts
> reserved.

Hi Jackie,
Thanks for the reply as well,

The error that I recieve within the explorer is 403 "access denied"
And the W3sv1 Log file shows as follows (the X represents IP
Addresses)

2007-02-23 10:21:18 W3SVC1 10.XX.XXX.XX GET /XXcgi/cvhtmsrv.exe - 80 -
XX.XX.XXX.XX Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+.NET
+CLR+1.1.4322;+.NET+CLR+2.0.50727) 403 19 1314

Regards

Top

Re: Application Pool by JackieJa

JackieJa
Fri Feb 23 07:58:27 CST 2007

Try the following:

Set createprocessasuser to false in the metabase.

ADSUTIL.VBS SET W3Svc/CreateProcessAsUser false

This setting should allow the configured identity to execute the CGI
application.

Thank you,

Jackie Jaynes [MSFT]
Microsoft IIS

Please do not send email directly to this alias. This
is our online account name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights
reserved.



Top

Re: Application Pool by Swagener

Swagener
Fri Feb 23 08:58:16 CST 2007

On 23 Feb, 13:58, JackieJa@onl...@microsoft.com (Jacqueline Jaynes
[MSFT]) wrote:
> Try the following:
>
> Set createprocessasuser to false in the metabase.
>
> ADSUTIL.VBS SET W3Svc/CreateProcessAsUser false
>
> This setting should allow the configured identity to execute the CGI
> application.
>
> Thank you,
>
> Jackie Jaynes [MSFT]
> Microsoft IIS
>
> Please do not send email directly to this alias. This
> is our online account name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers no right=
s=2E
> You assume all risk for your use. =A9 2001 Microsoft Corporation. All ri=
ghts
> reserved.

Hi Jackie
I have done what you suggested but now whenever i try to run the
application IIS disables the whole Default Application Pool with a
unspecified error.
I even tried to set it back to True but it is still disabling it.
I'm trying to find out why this is happening but do you have any
ideas.

Thanks

Top

Re: Application Pool by Swagener

Swagener
Fri Feb 23 10:11:58 CST 2007

On 23 Feb, 14:58, "Swagener" <riqb...@gmail.com> wrote:
> On 23 Feb, 13:58, JackieJa@onl...@microsoft.com (Jacqueline Jaynes
>
>
>
>
>
> [MSFT]) wrote:
> > Try the following:
>
> > Set createprocessasuser to false in the metabase.
>
> > ADSUTIL.VBS SET W3Svc/CreateProcessAsUser false
>
> > This setting should allow the configured identity to execute the CGI
> > application.
>
> > Thank you,
>
> > Jackie Jaynes [MSFT]
> > Microsoft IIS
>
> > Please do not send email directly to this alias. This
> > is our online account name for newsgroup participation only.
>
> > This posting is provided "AS IS" with no warranties, and confers no rig=
hts.
> > You assume all risk for your use. =A9 2001 Microsoft Corporation. All =
rights
> > reserved.
>
> Hi Jackie
> I have done what you suggested but now whenever i try to run the
> application IIS disables the whole Default Application Pool with a
> unspecified error.
> I even tried to set it back to True but it is still disabling it.
> I'm trying to find out why this is happening but do you have any
> ideas.
>
> Thanks- Hide quoted text -
>
> - Show quoted text -

Hi Jackie,
All sorted now,
when I checked the event viewer for errors, the application as well as
the security audits led me to the conclusion it was linked to the log
on as service policy and had to restarts the CGI application service.
And It started working thank you very much.

Regards,
Shariq

Top

Re: Application Pool by David

David
Sun Feb 25 04:07:03 CST 2007

Hmm... why is it that PSS recommends setting CreateProcessAsUser=3DFALSE
for 403.19 - this changes CGI to execute as the ProcessIdentity
instead of ImpersonatedIdentity, which gives different results when
authentication is involved.

The alternative in IIS documentation is add "Replace a Process level
Token" and "Adjust memory quotas for a process" to the custom AppPool
user Identity. This preserves default behavior with authentication.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Feb 23, 5:58 am, JackieJa@onl...@microsoft.com (Jacqueline Jaynes
[MSFT]) wrote:
> Try the following:
>
> Set createprocessasuser to false in the metabase.
>
> ADSUTIL.VBS SET W3Svc/CreateProcessAsUser false
>
> This setting should allow the configured identity to execute the CGI
> application.
>
> Thank you,
>
> Jackie Jaynes [MSFT]
> Microsoft IIS
>
> Please do not send email directly to this alias. This
> is our online account name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers no right=
s=2E
> You assume all risk for your use. =A9 2001 Microsoft Corporation. All ri=
ghts
> reserved.

Top