Menu
In my C# code I need to create a custom identity for my web application and add it to IIS 7. I do the following:
string strAppPoolName = "MyAppPool";
string strUserName = Environment.UserDomainName + "\\" + "myappusername";
addUserAccount(strUserName, strUserPass);
using (ServerManager serverManager = new ServerManager())
{
//Add application pool
ApplicationPool appPool = serverManager.ApplicationPools.Add(strAppPoolName);
appPool.AutoStart = true;
appPool.ManagedPipelineMode = ManagedPipelineMode.Integrated;
appPool.ManagedRuntimeVersion = "v4.0";
appPool.ProcessModel.MaxProcesses = 1;
//Assign identity to a custom user account
appPool.ProcessModel.IdentityType = ProcessModelIdentityType.SpecificUser;
appPool.ProcessModel.UserName = strUserName;
appPool.ProcessModel.Password = strUserPass;
}
Where the user is added to the Active Directory as such:
public static void addUserAccount(string sUserName, string sPassword)
{
using (PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain))
{
using (UserPrincipal up = new UserPrincipal(oPrincipalContext))
{
up.SamAccountName = sUserName;
up.SetPassword(sPassword);
up.Enabled = true;
up.PasswordNeverExpires = true;
up.Description = "My app's user account";
up.Save();
}
}
}
The issue is that when I later add my site and application to IIS 7 under that application pool, the web application cannot run because it does not have sufficient permissions. More importantly for me, some of the .NET classes, such as System.Security.Cryptography fail with unexpected error codes even if I manually set read/write permissions for this new user account to the file system folder where my web app is installed.
So while doing a research I found the following statement:
If you use a custom identity, make sure that the user account you specify is a member of the IIS_IUSRS group on the Web server so that the account has proper access to resources. Additionally, when you use Windows and Kerberos authentication in your environment, you might need to register a Service Principle Name (SPN) with the domain controller (DC).
So, how do you do this?
734
Go to IIS Manager > Application Pools > Your domain's specific Application Pool > Advanced Settings. In Identity: click to change > Custom Account > Set > Enter User credentials from step 2, click OK and exit all.
If you need to add that account to the IIS_IUSERS group, (which is local on the machine) you can use the GroupPrincipal for that. Keep in mind to create a PrincipalContext that is local for your machine, instead of the Domain one you used for the user. You can simply find the group by identity and then add the new created user to the Memberscollection. The Add method has an overload that accepts an UserPrincipal.
Your code would like this:
using (PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain))
{
using (PrincipalContext oGroupContext = new PrincipalContext(ContextType.Machine))
{
// find the local group IIS_IUSRS
using(var gp = GroupPrincipal.FindByIdentity(oGroupContext,"IIS_IUSRS"))
{
using (UserPrincipal up = new UserPrincipal(oPrincipalContext))
{
up.SamAccountName = sUserName;
up.SetPassword(sPassword);
up.Enabled = true;
up.PasswordNeverExpires = true;
up.Description = "My app's user account";
up.Save();
// add new user to Members of group
gp.Members.Add(up);
// save before Disposing!
gp.Save();
}
}
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
