cancel
Showing results for 
Search instead for 
Did you mean: 
Superfreak3
Occasional contributor

Setting Virtual Directories/Web Applications to ApplicationPoolIdentity How-To?

Hi all,

We have a web application which is working fine, but field techs are requesting a change. Our current Application Pool settings are attached. We want that to be assigned a specific user/pswd entered during the install. So, I don't envision anything changing there.

We currently set the the same user on the Web Application and a Virtual Directory, but we would like to change those to ApplicationPoolIdentity. I don't see that option in the Application or Virtual Directory settings. I've attached the current security settings for that and I don't see a specific option to set the desired identity.

Is it possibly a combination of some settings or will leaving the username/pswd blank default to ApplicationPoolIdentity at install time?

Thanks in Advance!
Labels (1)
0 Kudos
21 Replies
rguggisberg
Active participant

Re: Setting Virtual Directories/Web Applications to ApplicationPoolIdentity How-To?

If you look to the right of the Process Model - Identity field (off the edge of your screen shot) there is an arrow for a dropdown.
Clicking on that will give you choices. Does one of them work for you?

NetworkService
LocalService
LocalSystem
SpecificUser
ApplicationPoolIdentity <-- ?
0 Kudos
Superfreak3
Occasional contributor

Re: Setting Virtual Directories/Web Applications to ApplicationPoolIdentity How-To?

rguggisberg wrote:
If you look to the right of the Process Model - Identity field (off the edge of your screen shot) there is an arrow for a dropdown.
Clicking on that will give you choices. Does one of them work for you?

NetworkService
LocalService
LocalSystem
SpecificUser
ApplicationPoolIdentity <-- ?


That is on the Application Pool itself and that is set up OK as far as I know. If I change that to ApplicationPoolIdentity, does that trickle down to the authentication setting on the apps/virtual directories? I guess I could try that but I don't know if setting that overides the username and password that is set during install on the Application Pool. The user set for the Application Pool during install is what is to be used there.

As the install stands now, with the setting shown, here is what the techs change in the field and what I want to accomplish with the install...

Open IIS.
Select OurApplication
In the IIS section of the center pane (icons) right click on Authentication, select Open Feature
Select Anonymous Authentication
Right Click and choose Edit
Select Application Pool Identity.

So, after install, they don't want to have to do that as the install should set that to ApplicationPoolIdenty. As you can tell, I'm not IIS expert.
0 Kudos
rguggisberg
Active participant

Re: Setting Virtual Directories/Web Applications to ApplicationPoolIdentity How-To?

Ok... If I understand correctly I think you want to go to
IIS
Web Sites
Name Of Your Web Site

Security
Enable Anonymous Access = Yes
Anonymous User Name = [User Name Property Entered on Install]
Anonymous Password = [Password Property Entered on Install]
0 Kudos
Superfreak3
Occasional contributor

Re: Setting Virtual Directories/Web Applications to ApplicationPoolIdentity How-To?

rguggisberg wrote:
Ok... If I understand correctly I think you want to go to
IIS
Web Sites
Name Of Your Web Site

Security
Enable Anonymous Access = Yes
Anonymous User Name = [User Name Property Entered on Install]
Anonymous Password = [Password Property Entered on Install]


All of that is set currently in/by our install. Anonymous Access is set to yes and results as such post install. Each web application/virtual directory then has the user name and password entered during install set in their properties as well as the Application Pool.

However, field techs have to go into each app/directory and...

Select Anonymous Authentication
Right Click and choose Edit
Select Application Pool Identity.

So, I want this setting to be set during or by the install so users or techs don't have to do so afterwards.
0 Kudos
Superfreak3
Occasional contributor

Re: Setting Virtual Directories/Web Applications to ApplicationPoolIdentity How-To?

I guess another way to ask this is how do I get to see the web application/virtual directory Authentication -> Anonymous Authentication (which will/should be enabled) set to ApplicationPoolIdentity immediately following install, with no need for end user or tech to do manually in IIS.

Open IIS.
Select OurApplication
In the IIS section of the center pane (icons) right click on Authentication, select Open Feature
Select Anonymous Authentication
Right Click and choose Edit

When the above steps are carried out post install, the Application pool identity option should be selected.

I've tried various combinations of the IIS settings in InstallShield, but I'm not getting the desired results.

In the actual install .ism file I've tried Identity = ApplicationPoolIdentity with name and password still used (not sure if they are ignored if set to ApplicationPoolIdentity) in the Application Pool settings in combination with Enable Anonymous Access = Yes with no user name and password used or blank in the template (I read online that to fall back to app pool identity leave these blank) on the actual application settings, but all I get when checking the above mentioned area of issue I see Specific User selected and set to IUSR.

Everything seems to work in the field with the Application Pool setting set to Specific User and with techs changing the Authentication; Anonymous Auth to Application Pool Identity. I just can't figure out how to make that happen via install.

I would think there has got to be a way!
0 Kudos
rguggisberg
Active participant

Re: Setting Virtual Directories/Web Applications to ApplicationPoolIdentity How-To?

I agree. Is it possible that anonymous authentication is locked?
For previous job I made a CA to unlock it.
0 Kudos
Superfreak3
Occasional contributor

Re: Setting Virtual Directories/Web Applications to ApplicationPoolIdentity How-To?

rguggisberg wrote:
I agree. Is it possible that anonymous authentication is locked?
For previous job I made a CA to unlock it.


I'm not sure what you mean, locked. Do you mean disabled? It is enabled after install currently.

Or, is there some other IIS specific setting used to 'lock' Anon Auth?

I guess I should also mention that I'm currently running tests on a Server 2016 system so maybe there is some OS specifics as well, but I would guess this is all in IIS.
0 Kudos
rguggisberg
Active participant

Re: Setting Virtual Directories/Web Applications to ApplicationPoolIdentity How-To?

Is it possible that whatever you are doing in InstallShield is being overridden by either an ApplicationHost.config or Web.config file?

https://forums.iis.net/t/1170130.aspx?IIS+7+Windows+Authentication+This+feature+has+been+locked+or+R...

0 Kudos
Superfreak3
Occasional contributor

Re: Setting Virtual Directories/Web Applications to ApplicationPoolIdentity How-To?

rguggisberg wrote:
Is it possible that whatever you are doing in InstallShield is being overridden by either an ApplicationHost.config or Web.config file?

https://forums.iis.net/t/1170130.aspx?IIS+7+Windows+Authentication+This+feature+has+been+locked+or+R...


I am able to change the desired Auth setting to Application pool identity manually without any error and the changes seems to be held or persists afterwards. Does that rule out any potential block you reference?

Oh and thanks for helping out rguggisberg!!
0 Kudos