This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Revenera Community
- :
- InstallShield
- :
- InstallShield Forum
- :
- Re: Setting Virtual Directories/Web Applications to ApplicationPoolIdentity How-To?
Subscribe
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 10, 2019
10:15 AM
Setting Virtual Directories/Web Applications to ApplicationPoolIdentity How-To?
Hi all,
We have a web application which is working fine, but field techs are requesting a change. Our current Application Pool settings are attached. We want that to be assigned a specific user/pswd entered during the install. So, I don't envision anything changing there.
We currently set the the same user on the Web Application and a Virtual Directory, but we would like to change those to ApplicationPoolIdentity. I don't see that option in the Application or Virtual Directory settings. I've attached the current security settings for that and I don't see a specific option to set the desired identity.
Is it possibly a combination of some settings or will leaving the username/pswd blank default to ApplicationPoolIdentity at install time?
Thanks in Advance!
We have a web application which is working fine, but field techs are requesting a change. Our current Application Pool settings are attached. We want that to be assigned a specific user/pswd entered during the install. So, I don't envision anything changing there.
We currently set the the same user on the Web Application and a Virtual Directory, but we would like to change those to ApplicationPoolIdentity. I don't see that option in the Application or Virtual Directory settings. I've attached the current security settings for that and I don't see a specific option to set the desired identity.
Is it possibly a combination of some settings or will leaving the username/pswd blank default to ApplicationPoolIdentity at install time?
Thanks in Advance!
(21) Replies
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 10, 2019
03:13 PM
If you look to the right of the Process Model - Identity field (off the edge of your screen shot) there is an arrow for a dropdown.
Clicking on that will give you choices. Does one of them work for you?
NetworkService
LocalService
LocalSystem
SpecificUser
ApplicationPoolIdentity <-- ?
Clicking on that will give you choices. Does one of them work for you?
NetworkService
LocalService
LocalSystem
SpecificUser
ApplicationPoolIdentity <-- ?
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 10, 2019
03:21 PM
rguggisberg wrote:
If you look to the right of the Process Model - Identity field (off the edge of your screen shot) there is an arrow for a dropdown.
Clicking on that will give you choices. Does one of them work for you?
NetworkService
LocalService
LocalSystem
SpecificUser
ApplicationPoolIdentity <-- ?
That is on the Application Pool itself and that is set up OK as far as I know. If I change that to ApplicationPoolIdentity, does that trickle down to the authentication setting on the apps/virtual directories? I guess I could try that but I don't know if setting that overides the username and password that is set during install on the Application Pool. The user set for the Application Pool during install is what is to be used there.
As the install stands now, with the setting shown, here is what the techs change in the field and what I want to accomplish with the install...
Open IIS.
Select OurApplication
In the IIS section of the center pane (icons) right click on Authentication, select Open Feature
Select Anonymous Authentication
Right Click and choose Edit
Select Application Pool Identity.
So, after install, they don't want to have to do that as the install should set that to ApplicationPoolIdenty. As you can tell, I'm not IIS expert.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 10, 2019
03:59 PM
Ok... If I understand correctly I think you want to go to
IIS
Web Sites
Name Of Your Web Site
Security
Enable Anonymous Access = Yes
Anonymous User Name = [User Name Property Entered on Install]
Anonymous Password = [Password Property Entered on Install]
IIS
Web Sites
Name Of Your Web Site
Security
Enable Anonymous Access = Yes
Anonymous User Name = [User Name Property Entered on Install]
Anonymous Password = [Password Property Entered on Install]
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 10, 2019
04:04 PM
rguggisberg wrote:
Ok... If I understand correctly I think you want to go to
IIS
Web Sites
Name Of Your Web Site
Security
Enable Anonymous Access = Yes
Anonymous User Name = [User Name Property Entered on Install]
Anonymous Password = [Password Property Entered on Install]
All of that is set currently in/by our install. Anonymous Access is set to yes and results as such post install. Each web application/virtual directory then has the user name and password entered during install set in their properties as well as the Application Pool.
However, field techs have to go into each app/directory and...
Select Anonymous Authentication
Right Click and choose Edit
Select Application Pool Identity.
So, I want this setting to be set during or by the install so users or techs don't have to do so afterwards.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 11, 2019
09:19 AM
I guess another way to ask this is how do I get to see the web application/virtual directory Authentication -> Anonymous Authentication (which will/should be enabled) set to ApplicationPoolIdentity immediately following install, with no need for end user or tech to do manually in IIS.
Open IIS.
Select OurApplication
In the IIS section of the center pane (icons) right click on Authentication, select Open Feature
Select Anonymous Authentication
Right Click and choose Edit
When the above steps are carried out post install, the Application pool identity option should be selected.
I've tried various combinations of the IIS settings in InstallShield, but I'm not getting the desired results.
In the actual install .ism file I've tried Identity = ApplicationPoolIdentity with name and password still used (not sure if they are ignored if set to ApplicationPoolIdentity) in the Application Pool settings in combination with Enable Anonymous Access = Yes with no user name and password used or blank in the template (I read online that to fall back to app pool identity leave these blank) on the actual application settings, but all I get when checking the above mentioned area of issue I see Specific User selected and set to IUSR.
Everything seems to work in the field with the Application Pool setting set to Specific User and with techs changing the Authentication; Anonymous Auth to Application Pool Identity. I just can't figure out how to make that happen via install.
I would think there has got to be a way!
Open IIS.
Select OurApplication
In the IIS section of the center pane (icons) right click on Authentication, select Open Feature
Select Anonymous Authentication
Right Click and choose Edit
When the above steps are carried out post install, the Application pool identity option should be selected.
I've tried various combinations of the IIS settings in InstallShield, but I'm not getting the desired results.
In the actual install .ism file I've tried Identity = ApplicationPoolIdentity with name and password still used (not sure if they are ignored if set to ApplicationPoolIdentity) in the Application Pool settings in combination with Enable Anonymous Access = Yes with no user name and password used or blank in the template (I read online that to fall back to app pool identity leave these blank) on the actual application settings, but all I get when checking the above mentioned area of issue I see Specific User selected and set to IUSR.
Everything seems to work in the field with the Application Pool setting set to Specific User and with techs changing the Authentication; Anonymous Auth to Application Pool Identity. I just can't figure out how to make that happen via install.
I would think there has got to be a way!
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 11, 2019
03:00 PM
I agree. Is it possible that anonymous authentication is locked?
For previous job I made a CA to unlock it.
For previous job I made a CA to unlock it.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 11, 2019
03:20 PM
rguggisberg wrote:
I agree. Is it possible that anonymous authentication is locked?
For previous job I made a CA to unlock it.
I'm not sure what you mean, locked. Do you mean disabled? It is enabled after install currently.
Or, is there some other IIS specific setting used to 'lock' Anon Auth?
I guess I should also mention that I'm currently running tests on a Server 2016 system so maybe there is some OS specifics as well, but I would guess this is all in IIS.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 11, 2019
03:42 PM
Is it possible that whatever you are doing in InstallShield is being overridden by either an ApplicationHost.config or Web.config file?
https://forums.iis.net/t/1170130.aspx?IIS+7+Windows+Authentication+This+feature+has+been+locked+or+Read+Only
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 11, 2019
03:45 PM
rguggisberg wrote:
Is it possible that whatever you are doing in InstallShield is being overridden by either an ApplicationHost.config or Web.config file?
https://forums.iis.net/t/1170130.aspx?IIS+7+Windows+Authentication+This+feature+has+been+locked+or+Read+Only
I am able to change the desired Auth setting to Application pool identity manually without any error and the changes seems to be held or persists afterwards. Does that rule out any potential block you reference?
Oh and thanks for helping out rguggisberg!!
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 11, 2019
04:04 PM
Your welcome. Just sorry I can't be of more help. It has been a while since I have played with that.
Take a look at any ApplicationHost.config or Web.config files on the target system after install.
I don't think the fact that you can change this after install rules out any potential block by those files.
If you find these files, take a look at them before and after you make the change to see if they get changed.
Take a look at any ApplicationHost.config or Web.config files on the target system after install.
I don't think the fact that you can change this after install rules out any potential block by those files.
If you find these files, take a look at them before and after you make the change to see if they get changed.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 13, 2019
08:31 PM
rguggisberg wrote:
Take a look at any ApplicationHost.config or Web.config files on the target system after install.
...
If you find these files, take a look at them before and after you make the change to see if they get changed.
I'll check out those files and post my findings either way.
I'm thinking I might have to write a Custom Action to tweak this at the end of our install (most likely C#).
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 14, 2019
10:14 AM
If you have to do a CA the A P P C M D may be of value.
This site's security rules prevent me from typing the command on one line or from using the 'A' word:(
You have to either specify full path to it or CD to it.
You can LIST and SET. Do your testing from a CMD prompt. When you get the desired combination of commands you can implement in a CA.
This site's security rules prevent me from typing the command on one line or from using the 'A' word:(
You have to either specify full path to it or CD to it.
You can LIST and SET. Do your testing from a CMD prompt. When you get the desired combination of commands you can implement in a CA.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 14, 2019
10:19 AM
I think I found the setting that is tweaked in ApplicationHost.config...
I can toggle the setting by toggling the userName parameter. If set to "" then Application pool identity is selected in the desired area of IIS.
I would think that leaving the user name setting blank in the InstallShield .ism would get me what I want, but that seems to set things to IUSR.
If there is a way to do this within the .ism that would be great. Otherwise, I guess I have to write a CA to change it.
I can toggle the setting by toggling the userName parameter. If set to "" then Application pool identity is selected in the desired area of IIS.
I would think that leaving the user name setting blank in the InstallShield .ism would get me what I want, but that seems to set things to IUSR.
If there is a way to do this within the .ism that would be great. Otherwise, I guess I have to write a CA to change it.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 14, 2019
10:21 AM
rguggisberg wrote:
If you have to do a CA the A P P C M D may be of value.
This site's security rules prevent me from typing the command on one line or from using the 'A' word:(
You have to either specify full path to it or CD to it.
You can LIST and SET. Do your testing from a CMD prompt. When you get the desired combination of commands you can implement in a CA.
I was just thinking of editing the ApplicationHost.config xml directly, but maybe the cmd utility is a better way to go. Now to dig up the command I need based on the setting I found which needs tweaking.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 14, 2019
10:29 AM
If you can get it done by changing ApplicationHost.config you might look at doing 'text substitution' via 'SYSTEM CONFIGURATION', 'XML File Changes'.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 14, 2019
11:25 AM
rguggisberg wrote:
If you can get it done by changing ApplicationHost.config you might look at doing 'text substitution' via 'SYSTEM CONFIGURATION', 'XML File Changes'.
I wonder if that will take place after all of the IIS stuff is set up -- a matter of sequence in other words.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 14, 2019
11:43 AM
It looks like it might be a little more involved than just an XML text replace. It appears that if set to Application pool identity, the password attribute initially supplied via the install should be removed as well. I haven't used the XML file modifications in or from the template so not sure if you can delete from there or not.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 14, 2019
12:08 PM
You might be right about the sequencing. Although if the ApplicationHost.config is a file that you placed on the system at install time it should be modified as you specify.
I haven't used the XML file changes either. I have used the Text File Changes.... and maybe you can use that instead. It allows you to replace xxx with yyy or replace xxx with nothing... which it sounds like you want to do.
I haven't used the XML file changes either. I have used the Text File Changes.... and maybe you can use that instead. It allows you to replace xxx with yyy or replace xxx with nothing... which it sounds like you want to do.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 14, 2019
01:45 PM
The ApplicationHost.config file is not a part of our install, but a part of IIS.
I think the same question would arise surrounding the use of Text file replacement and sequencing.
I don't think I can go that route anyway as there are some attributes on the application pools we create in that .config file that have valide usernames and passwords so a universal replace wouldn't really work in this case. I guess I could make a super long replace. Even that wouldn't work as the password that would have to be removed is encrypted at install time so not sure what the string would be for replacement.
It's sounding more and more like a CA of some type.
I've sent this into Support as well. Unless and until I hear back from them or someone discovers some way to do it in the template, I'll embark on the Custom Action path.
THANKS for the help so far!!
I think the same question would arise surrounding the use of Text file replacement and sequencing.
I don't think I can go that route anyway as there are some attributes on the application pools we create in that .config file that have valide usernames and passwords so a universal replace wouldn't really work in this case. I guess I could make a super long replace. Even that wouldn't work as the password that would have to be removed is encrypted at install time so not sure what the string would be for replacement.
It's sounding more and more like a CA of some type.
I've sent this into Support as well. Unless and until I hear back from them or someone discovers some way to do it in the template, I'll embark on the Custom Action path.
THANKS for the help so far!!
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
‎Jan 14, 2019
02:05 PM
Just to clarify... Text replacement allows you to replace one or all occurrences of a string.
You can also specify multiple strings to substitute.
You can also specify multiple strings to substitute.