Migrating Identity-Related Attributes

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

In IIS 5.0, specifying an identity allowed a worker process in ASP.NET to use a Windows identity other than that of the default process identity. Process identity is an operating system term used to denote the account that a process runs under. Every running process on a Windows Server 2003 has a process identity that is used to control access to resources on the Web server.

Note

In IIS 6.0, the application pool identity allows worker processes servicing the application pool to use an identity other than the default identity NetworkService. In IIS 5.0, the default identity is LocalSystem.

The Machine.config attributes that affect identity-related metabase properties include:

  • username

  • password

Migrating the username Attribute

The username Machine.config attribute specifies the user account used by ASP.NET as an identity for worker processes. The attribute is a string value and does not exist in Machine.config by default.

In IIS 5.0, the username Machine.config attribute has the following values:

  • No entry.When the username attribute does not exist in the Machine.config file, this causes ASP.NET to run worker processes under the identity of LocalSystem.

  • Machine. Causes ASP.NET to run worker processes under a user account named ASPNET that is created automatically when ASP.NET is installed. This is the default configuration.

  • System. Causes ASP.NET to run worker processes under a user account named System that is created automatically when ASP.NET is installed and allows ASP.NET processes to have full administrative privileges. Applications running under the identity of the System account have unconstrained privileges on the Web server. Run applications under the identity of the System account only when required by your applications.

  • Configured account. When the username attribute contains a service account, this causes ASP.NET to run worker processes under the identity of the service account.

Configure the equivalent settings in IIS 6.0 by selecting an IIS 6.0 configuration setting that allows the ASP.NET application to run properly while not compromising the security of the Web server. This selection is done in an order of preference, from most secure to least secure.

Configure the User name settings in IIS 6.0 by selecting one of the following in order of security preference:

  • Option 1. Configure IIS 6.0 to use NetworkService.

  • Option 2. Configure IIS 6.0 to use a new service account and grant the account the minimal user rights or group membership to allow the applications to run successfully.

  • Option 3. Configure IIS 6.0 to use a new service account that belongs to the local Administrators group.

Option 1   Configure IIS 6.0 to use NetworkService

This is the default identity for IIS 6.0 and is the recommend identity. Most ASP.NET applications can run by using this configuration. Test your ASP.NET application to ensure proper operation with NetworkService as the identity.

For more information about how to configure the username setting, see Configure Application Pool Identity

Option 2   Configure IIS 6.0 to use a new service account and grant the account the minimal user rights or group membership to allow the applications to run successfully

Select this option when the ASP.NET application is unable to run under the NetworkService identity. You might need to do this when the username Machine.config attribute does not exist or is set to Machine, System, or to a configured account.

For more information about how to create an account see Create a Service Account. For more information about how to grant user rights, see Grant User Rights to a Service Account. For more information about how to configure the username setting, see Configure Application Pool Identity.

Option 3   Configure IIS 6.0 to use a new service account that belongs to the local Administrators group

As a last resort, select this option when the ASP.NET application requires an identity that is a member of the local Administrators group. You might need to do this when the username Machine.config attribute does not exist, is set to System, or is set to a configured account that is a member of the local Administrators group.

For more information about how to create an account see Create a Service Account. For more information about how to make a service account a member of the local Administrators group, see Make a Service Account a Member of the Local Administrators Group. For more information about how to configure the username setting, see Configure Application Pool Identity.

Migrating the password Attribute

The password Machine.config attribute specifies the password for the user account used by ASP.NET as an identity for worker processes. The attribute is a string value and does not exist in Machine.config by default, which indicates that the worker processes should run under the default identity of LocalSystem in IIS 5.0.

If you selected NetworkService for the identity for the worker processes, then no password is required. If you decided to create a service account, then configure the password setting in IIS 6.0 with the password for the service account.

For more information about how to configure the password setting, see Configure Application Pool Identity.