Set username to "system" in machine.config, but ASP.NET running as NETWORK SERVICE

[wizofaus]

I've now created the same setup on four different machines, where I'm
changing the processModel section machine.config so that ASP.NET (1.1)
runs as SYSTEM, to give it permission to do various things like access
the Task Scheduler etc.
Three of the machines are using IIS 5.1 and work fine. The 4th machine
is using IIS 6.0, and also has ASP.NET 2.0 installed (but I've made
sure that the IIS application in question is using ASP.NET 1.1). But
on this machine, the machine.config setting seems be to getting
ignored, and the process is running as "NETWORK SERVICE", which does
*not* have permission to access the Task Scheduler (at least, by
default - presumably I could grant it this access).
Any clues why this setting would not work under IIS 6.0? I've tried
rerunning aspnet_regiis, restarting the web server any number of times,
but to no avail.

Thanks.

 

[wizofaus]

I've now created the same setup on four different machines, where I'm
changing the processModel section machine.config so that ASP.NET (1.1)
runs as SYSTEM, to give it permission to do various things like access
the Task Scheduler etc.
Three of the machines are using IIS 5.1 and work fine. The 4th machine
is using IIS 6.0, and also has ASP.NET 2.0 installed (but I've made
sure that the IIS application in question is using ASP.NET 1.1). But
on this machine, the machine.config setting seems be to getting
ignored, and the process is running as "NETWORK SERVICE", which does
*not* have permission to access the Task Scheduler (at least, by
default - presumably I could grant it this access).
Any clues why this setting would not work under IIS 6.0? I've tried
rerunning aspnet_regiis, restarting the web server any number of times,
but to no avail.

Never mind, found the problem - under IIS 6.0 it appears you have to
configure the application pool identity instead. I assume then the
processModel section in machine.config is not used under IIS 6.0.

Writing an install that can do all this automatically is going to be
fun.

 

[Yinon Ehrlich]

Never mind, found the problem - under IIS 6.0 it appears you have to
configure the application pool identity instead. I assume then the
processModel section in machine.config is not used under IIS 6.0.

Writing an install that can do all this automatically is going to be
fun.

Hi,

Instead of doing these tweaks on installation, you can use impersonation
- even per application - by add the following line in your application's
web.config:
<identity impersonate = "true" userName="SYSTEM"/>

 

[wizofaus]

Hi,

Instead of doing these tweaks on installation, you can use impersonation
- even per application - by add the following line in your application's
web.config:
<identity impersonate = "true" userName="SYSTEM"/>

Are you sure? That seems like a security loophole - if a
non-Administrator had write access to a directory containing an ASP.NET
application, they could easily change it to run as LocalSystem, which
typically has full access to everything. Certainly our intention is to
allow support staff write access to the directories where ASP.NET apps
sit, as the web.config file has some settings they may need to adjust -
but we certainly wouldn't want to allow them to change the process
identity (in future versions I hope not to require running as Local
System, but for now it's the least problematic).