cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Superfreak3
Level 11

Setting Virtual Directories/Web Applications to ApplicationPoolIdentity How-To?

Hi all,

We have a web application which is working fine, but field techs are requesting a change. Our current Application Pool settings are attached. We want that to be assigned a specific user/pswd entered during the install. So, I don't envision anything changing there.

We currently set the the same user on the Web Application and a Virtual Directory, but we would like to change those to ApplicationPoolIdentity. I don't see that option in the Application or Virtual Directory settings. I've attached the current security settings for that and I don't see a specific option to set the desired identity.

Is it possibly a combination of some settings or will leaving the username/pswd blank default to ApplicationPoolIdentity at install time?

Thanks in Advance!
Labels (1)
0 Kudos
(21) Replies
rguggisberg
Level 13

If you look to the right of the Process Model - Identity field (off the edge of your screen shot) there is an arrow for a dropdown.
Clicking on that will give you choices. Does one of them work for you?

NetworkService
LocalService
LocalSystem
SpecificUser
ApplicationPoolIdentity <-- ?
0 Kudos
Superfreak3
Level 11

rguggisberg wrote:
If you look to the right of the Process Model - Identity field (off the edge of your screen shot) there is an arrow for a dropdown.
Clicking on that will give you choices. Does one of them work for you?

NetworkService
LocalService
LocalSystem
SpecificUser
ApplicationPoolIdentity <-- ?


That is on the Application Pool itself and that is set up OK as far as I know. If I change that to ApplicationPoolIdentity, does that trickle down to the authentication setting on the apps/virtual directories? I guess I could try that but I don't know if setting that overides the username and password that is set during install on the Application Pool. The user set for the Application Pool during install is what is to be used there.

As the install stands now, with the setting shown, here is what the techs change in the field and what I want to accomplish with the install...

Open IIS.
Select OurApplication
In the IIS section of the center pane (icons) right click on Authentication, select Open Feature
Select Anonymous Authentication
Right Click and choose Edit
Select Application Pool Identity.

So, after install, they don't want to have to do that as the install should set that to ApplicationPoolIdenty. As you can tell, I'm not IIS expert.
0 Kudos
rguggisberg
Level 13

Ok... If I understand correctly I think you want to go to
IIS
Web Sites
Name Of Your Web Site

Security
Enable Anonymous Access = Yes
Anonymous User Name = [User Name Property Entered on Install]
Anonymous Password = [Password Property Entered on Install]
0 Kudos
Superfreak3
Level 11

rguggisberg wrote:
Ok... If I understand correctly I think you want to go to
IIS
Web Sites
Name Of Your Web Site

Security
Enable Anonymous Access = Yes
Anonymous User Name = [User Name Property Entered on Install]
Anonymous Password = [Password Property Entered on Install]


All of that is set currently in/by our install. Anonymous Access is set to yes and results as such post install. Each web application/virtual directory then has the user name and password entered during install set in their properties as well as the Application Pool.

However, field techs have to go into each app/directory and...

Select Anonymous Authentication
Right Click and choose Edit
Select Application Pool Identity.

So, I want this setting to be set during or by the install so users or techs don't have to do so afterwards.
0 Kudos
Superfreak3
Level 11

I guess another way to ask this is how do I get to see the web application/virtual directory Authentication -> Anonymous Authentication (which will/should be enabled) set to ApplicationPoolIdentity immediately following install, with no need for end user or tech to do manually in IIS.

Open IIS.
Select OurApplication
In the IIS section of the center pane (icons) right click on Authentication, select Open Feature
Select Anonymous Authentication
Right Click and choose Edit

When the above steps are carried out post install, the Application pool identity option should be selected.

I've tried various combinations of the IIS settings in InstallShield, but I'm not getting the desired results.

In the actual install .ism file I've tried Identity = ApplicationPoolIdentity with name and password still used (not sure if they are ignored if set to ApplicationPoolIdentity) in the Application Pool settings in combination with Enable Anonymous Access = Yes with no user name and password used or blank in the template (I read online that to fall back to app pool identity leave these blank) on the actual application settings, but all I get when checking the above mentioned area of issue I see Specific User selected and set to IUSR.

Everything seems to work in the field with the Application Pool setting set to Specific User and with techs changing the Authentication; Anonymous Auth to Application Pool Identity. I just can't figure out how to make that happen via install.

I would think there has got to be a way!
0 Kudos
rguggisberg
Level 13

I agree. Is it possible that anonymous authentication is locked?
For previous job I made a CA to unlock it.
0 Kudos
Superfreak3
Level 11

rguggisberg wrote:
I agree. Is it possible that anonymous authentication is locked?
For previous job I made a CA to unlock it.


I'm not sure what you mean, locked. Do you mean disabled? It is enabled after install currently.

Or, is there some other IIS specific setting used to 'lock' Anon Auth?

I guess I should also mention that I'm currently running tests on a Server 2016 system so maybe there is some OS specifics as well, but I would guess this is all in IIS.
0 Kudos
rguggisberg
Level 13

Is it possible that whatever you are doing in InstallShield is being overridden by either an ApplicationHost.config or Web.config file?

https://forums.iis.net/t/1170130.aspx?IIS+7+Windows+Authentication+This+feature+has+been+locked+or+Read+Only

0 Kudos
Superfreak3
Level 11

rguggisberg wrote:
Is it possible that whatever you are doing in InstallShield is being overridden by either an ApplicationHost.config or Web.config file?

https://forums.iis.net/t/1170130.aspx?IIS+7+Windows+Authentication+This+feature+has+been+locked+or+Read+Only


I am able to change the desired Auth setting to Application pool identity manually without any error and the changes seems to be held or persists afterwards. Does that rule out any potential block you reference?

Oh and thanks for helping out rguggisberg!!
0 Kudos
rguggisberg
Level 13

Your welcome. Just sorry I can't be of more help. It has been a while since I have played with that.

Take a look at any ApplicationHost.config or Web.config files on the target system after install.
I don't think the fact that you can change this after install rules out any potential block by those files.
If you find these files, take a look at them before and after you make the change to see if they get changed.
0 Kudos
Superfreak3
Level 11

rguggisberg wrote:

Take a look at any ApplicationHost.config or Web.config files on the target system after install.
...
If you find these files, take a look at them before and after you make the change to see if they get changed.


I'll check out those files and post my findings either way.

I'm thinking I might have to write a Custom Action to tweak this at the end of our install (most likely C#).
0 Kudos
rguggisberg
Level 13

If you have to do a CA the A P P C M D may be of value.

This site's security rules prevent me from typing the command on one line or from using the 'A' word:(
You have to either specify full path to it or CD to it.
You can LIST and SET. Do your testing from a CMD prompt. When you get the desired combination of commands you can implement in a CA.
0 Kudos
Superfreak3
Level 11

I think I found the setting that is tweaked in ApplicationHost.config...


















I can toggle the setting by toggling the userName parameter. If set to "" then Application pool identity is selected in the desired area of IIS.

I would think that leaving the user name setting blank in the InstallShield .ism would get me what I want, but that seems to set things to IUSR.

If there is a way to do this within the .ism that would be great. Otherwise, I guess I have to write a CA to change it.
0 Kudos
Superfreak3
Level 11

rguggisberg wrote:
If you have to do a CA the A P P C M D may be of value.

This site's security rules prevent me from typing the command on one line or from using the 'A' word:(
You have to either specify full path to it or CD to it.
You can LIST and SET. Do your testing from a CMD prompt. When you get the desired combination of commands you can implement in a CA.


I was just thinking of editing the ApplicationHost.config xml directly, but maybe the cmd utility is a better way to go. Now to dig up the command I need based on the setting I found which needs tweaking.
0 Kudos
rguggisberg
Level 13

If you can get it done by changing ApplicationHost.config you might look at doing 'text substitution' via 'SYSTEM CONFIGURATION', 'XML File Changes'.
0 Kudos
Superfreak3
Level 11

rguggisberg wrote:
If you can get it done by changing ApplicationHost.config you might look at doing 'text substitution' via 'SYSTEM CONFIGURATION', 'XML File Changes'.


I wonder if that will take place after all of the IIS stuff is set up -- a matter of sequence in other words.
0 Kudos
Superfreak3
Level 11

It looks like it might be a little more involved than just an XML text replace. It appears that if set to Application pool identity, the password attribute initially supplied via the install should be removed as well. I haven't used the XML file modifications in or from the template so not sure if you can delete from there or not.
0 Kudos
rguggisberg
Level 13

You might be right about the sequencing. Although if the ApplicationHost.config is a file that you placed on the system at install time it should be modified as you specify.

I haven't used the XML file changes either. I have used the Text File Changes.... and maybe you can use that instead. It allows you to replace xxx with yyy or replace xxx with nothing... which it sounds like you want to do.
0 Kudos
Superfreak3
Level 11

The ApplicationHost.config file is not a part of our install, but a part of IIS.

I think the same question would arise surrounding the use of Text file replacement and sequencing.

I don't think I can go that route anyway as there are some attributes on the application pools we create in that .config file that have valide usernames and passwords so a universal replace wouldn't really work in this case. I guess I could make a super long replace. Even that wouldn't work as the password that would have to be removed is encrypted at install time so not sure what the string would be for replacement.

It's sounding more and more like a CA of some type.

I've sent this into Support as well. Unless and until I hear back from them or someone discovers some way to do it in the template, I'll embark on the Custom Action path.

THANKS for the help so far!!
0 Kudos
rguggisberg
Level 13

Just to clarify... Text replacement allows you to replace one or all occurrences of a string.
You can also specify multiple strings to substitute.
0 Kudos