Security – Is it possible to use IIS 7 Application Pool Identities on a 2008 Domain Controller

domain-controlleriis-7.5Securitywindows-server-2008-r2

So, let me put the disclaimer in first: I wouldn't typically piggy-back IIS on a domain controller, but that's what I've got and I can't change that in this instance.

I've got a WCF web service I need to host here. I'd like to be able to use an application pool identity from IIS to grant filesystem permissions as well as Launch and Activation Permissions in component services. I'm not able to find the account when I browse for it by trying to select "IIS AppPool\DefaultAppPool".

Does anyone know if this is even possible on a 2008R2 domain controller?

Best Answer

Granting permissions to Application Pool Identity's via the UI on Windows 2008R2 can be a bit prone to not working now and again, but can be achieved using a couple of command line tools.

NTFS Permissions:

Use the ICACLS command line tool to set NTFS permissions:

icacls c:\wwwroot /grant "IIS AppPool\DefaultAppPool":(CI)(OI)(M)

The above configures the DefaultAppPool identity to have Modify permissions on c:\wwwroot with File and Folder inheritance. In the UI it looks like:

enter image description here

and under the permissions Advanced UI:

enter image description here

DCOM Launch and Activation and Access Permissions:

Again, the UI can be a bit hinky here when it comes to IIS AppPool\<ident> accounts and there's no built-in command line tool to configure Launch and Activation Permissions and Access Permissions. You could try setting these values in the registry but unless you know how to create a serialised ACL for LaunchPermission and AccessPermission it's going to be hard going.

All is not lost though. There's a tool called dcomperm.exe which is included as a sample project in the Microsoft Windows SDK for Windows 7 and .NET Framework 4.

This chap has written about it here:

Another step closer to the 100% scripted SharePoint installation with DcomPerm.exe

You can try and build it yourself or download a prebuilt binary from his Microsoft Live SkyDrive.

To use dcomperm.exe it you'll need to know the AppID of your DCOM app. You can do this by locating it in the General tab of your application's DCOM configuration properties. For example, I've picked the IIS CertObj library as a working example.:

enter image description here

You can place your cursor in the Application ID field and select the whole field, make sure you include the curly braces as well.

Next open a command line prompt (running as Administrator). To grant your application pool identity Local Launch and Local Activation permissions you would execute:

DComPerm.exe -al {62B8CCBE-5A45-4372-8C4A-6A87DD3EDD60} set "IIS AppPool\DefaultAppPool" permit level:ll,la

Where:

-al = Modify or list the launch and activation permission
{62B8CCBE-5A45-4372-8C4A-6A87DD3EDD60} = the App ID we copied from the DCOMCNFG UI
set "IIS AppPool\DefaultAppPool" = set this identity
permit = set the permit flag
ll = Local Launch
la = Local Activation

This looks like the following in the UI:

enter image description here

Best Answer

Related Solutions

Security – WMI permissions: Select CommandLine, ProcessId FROM Win32_Process returns no data for CommandLine

Security – Unable to set NTFS permissions for ApplicationPoolIdentity on Windows 2008 SP2

Related Topic