Join Log in
Score:0
pileup avatar Server

Using ApplicationPoolIdentity for two different websites with different network folders access permissions

th flag
pileup

I need to configure two websites that need to have access to two different network folders (for example website1 needs access to X:/netfolder1/ and website2 needs access to X:/netfolder2/)

I've read the following two articles:

https://learn.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities

And

https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/www-authentication-authorization/understanding-identities

And it says the following:

An application pool identity allows you to run an application pool under a unique account without having to create and manage domain or local accounts>

Assuming I created two app pools: website1 and website2

I then need to add each to the matching website's folder users and give it right permissions (adding IIS AppPool\web1 to web1 folder and IIS AppPool\web2 to web2 folder)

It works and each website runs. Both use the ApplicationPoolIdentity

But now the part where each website needs access to a different network folder is problematic because the article also says:

The good news is that application pool identities also use the machine account to access network resources. No changes are required.

So if I understand correctly, it means that in the network folder I need to add the computer name to the users list and give it the permissions I want. But in this case I can't separate between the websites because both use the same ApplicationPoolIdentity so if I give access to one website access to certain folder, all websites using ApplicationPoolIdentity will have access to that folder.

But then I was thinking that I can just create another custom ApplicationPoolIdentity, but realized it's not possible, there's only one built in identity.

And if I want to add another identity, it's going to be a custom account as seen in the second article.

But then it contradicts with the first statement that I can

run an application pool under a unique account without having to create and manage domain or local accounts

Because a custom account is a real account, in my case a domain account. Because by creating 2 different domain accounts, I can assign each to a different folder over network.

Or, there is a way to only use ApplicationPoolIdentity while separating access on the network folder? Or ApplicationPoolIdentity is just the default identity and I can't expect to use it for everything, much like the Default Website?

43
1 + 0
iis
Score:1
Massimo avatar Server
ng flag
Massimo

What you want to do is not possible.

You can have different ApplicationPoolIdentities on the same system; but when accessing another computer, they all will just appear as the same computer account.

You'll need to use either two domain user accounts, or two managed service accounts; both of them will have to be created in your AD domain.

+ 6
pileup avatar
th flag
pileup
Thank you, that's what I currently do - I have 2 domain user accounts in the AD domain as you said. So looks like I will have to leave it as is. This "issue" was discovered by the security team that were afraid of seeing `appcmd list apppool /config -- passwords` showing these domain users password in plain text. So the only thing I can do in this case is to leave it as it is now, and use these accounts only for specific purpose of reading a specific directory, and give it only the necessary permissions? (In my case, this identity also needs to save/read files in the network folder)
0
Reply
pileup avatar
th flag
pileup
Also, these accounts were given local administrator so I assume that's why they were afraid, because of someone's mistake, these identity users were also being used as the local administrator on the server! Therefore having their passwords in plain text was dangerous. But now if I just use them as the identity it should be alright, right?
0
Reply
Massimo avatar
ng flag
Massimo
`Also, these accounts were given local administrator` that should definitely *not* be the case for a web site service account.
1
Reply
pileup avatar
th flag
pileup
Yes I was shocked when I saw that (I did not create/assign the accounts, but just asked the team in charge to do it because I'm working in an organization). I removed them and now the only thing that's left is that their passwords are visible from the command, but there's not much to do about that right? I mean is it less secured than using the `AppPoolIdentity`? And one more thing, when you said `You can have different ApplicationPoolIdentities`, which type did you mean? How do I create another identity like the built-in one? Or you meant something like local account to be used as an identity
0
Reply
Lex Li avatar
vn flag
Lex Li
@B.DLiroy 1) Using administrator accounts as application pool identities is not that surprising. Certain web apps do need those permissions. 2) Seeing passwords in `appcmd list apppool /config -- passwords` isn't surprising either, as only administrators of that machine can run the command. If you want to avoid the passwords, you can use passwordless accounts like domain managed service accounts (part of the answer). 3) While web servers are vulnerable to attacks, you can find how those risks can be managed.
1
Reply
pileup avatar
th flag
pileup
Thank you! Everything understood. Only thing is I'm trying to understand scenarios where a web app needs the identity to be local administrator. Do you have an example?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.