Configure Service Account eDirectory Login for IIS application pool

  • 7011952
  • 14-Mar-2013
  • 19-Mar-2018

Environment

Client for Open Enterprise Server 2 SP4 for Windows
Novell Client 2 SP3 for Windows
Windows Server 2012 R2
Windows Server 2008 R2
Internet Information Services (IIS) 8.5
Internet Information Services (IIS) 7.5
Application Pool

Situation

"Service Account eDirectory Login" configuration is not working for allowing the IIS web server access to eDirectory resources.

Even with a valid "Service Account eDirectory Login" configuration in place, the running instance of w3wp.exe cannot access an eDirectory path.

Resolution

1. If your IIS Application Pool Identity is set to the default of "ApplicationPoolIdentity", then the Service Account eDirectory Login configuration needs to be created using the name of the Application Pool, rather than the name of a Windows user account.  For example, [HKEY_LOCAL_MACHINE\Software\Novell\Login\Service Account eDirectory Login\DefaultAppPool] if the Application Pool being used is "DefaultAppPool".  There will not be a password inherently available for the eDirectory login attempt, so the "DefaultPassword" value must be included as part of the Service Account eDirectory Login configuration.

or,

2. If your IIS Application Pool Identity is set to logon as "Custom account", then the Service Account eDirectory Login configuration needs to be created for that Windows account name, similar to other non-IIS Windows service logons.   For example, [HKEY_LOCAL_MACHINE\Software\Novell\Login\Service Account eDirectory Login\MyServiceUser] if the Windows account name being used is "MyServiceUser".

In addition, the "logonType" for this Application Pool will need to be set to "LogonService", instead of the default of "LogonBatch".  The Internet Information Services (IIS) Manager configuration console does not provide for changing this configuration, so to set the "logonType" configuration you will have to use the following command line:

"C:\Windows\System32\inetsrv\appcmd.exe" set apppool "<name of application pool>" /processModel.logonType:LogonService

Additional Information

As described in TID 7008266, creating a Service Account eDirectory Login configuration can enable an eDirectory login attempt to occur whenever Windows starts up a service.  For many services designed to run on Windows, this configuration is straight-forward and can simply be based on the Windows user account name that has been specified for the Windows service to run under.

Specifically with Microsoft's Internet Information Services (IIS), there are additional conditions and decisions necessary in order to create a successful Service Account eDirectory Login configuration that will allow the IIS worker process to access eDirectory resources.

The IIS worker process will run under the Application Pool it is configured to run under in the IIS server configuration, and the Application Pool in turn has configuration options for what the Application Pool Identity should be.  See the Microsoft IIS Manage documentation of "Application Pool Identities" (https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities) for additional information.

The "LocalSystem" and "LocalService" built-in selections for Application Pool Identity will not allow for a successful Service Account eDirectory Login configuration, and will only be able to access local Windows Server resources.  In a Windows Domain environment, the "NetworkService" built-in selection technically does have network access, but it is using the identity of the Windows Server's machine account in the domain.

Selecting "ApplicationPoolIdentity", which is also the IIS default configuration, allows for creating a successful Service Account eDirectory Login configuration.  The registry key that needs to be created will be the name of the Application Pool, rather than a Windows user account name.  For example, [HKEY_LOCAL_MACHINE\Software\Novell\Login\Service Account eDirectory Login\DefaultAppPool] if the Application Pool being used is "DefaultAppPool".

When using "ApplicationPoolIdentity" and the Application Pool name, there will not be a password automatically available for the eDirectory login attempt.  So in addition to the Service Account eDirectory Login configuration of "DefaultUserName" and "DefaultTreeName", it will also be necessary to configure a "DefaultPassword" value to provide the eDirectory password necessary for login.

Alternatively, the Application Pool Identity can be configured using "Custom account", which allows you to set a specific Windows user account that the Application Pool should logon as, similar to a normal Windows service logon configuration.  However, the default IIS "logonType" for this user account logon is "LogonBatch", which is not compatible with the Service Account eDirectory Login configuration.

The "logonType" configuration must be switched to "LogonService" instead of "LogonBatch" when specifying a specific Windows account for the Application Pool Identity.  However, the Internet Information Services (IIS) Manager configuration application not provide a user interface for changing this configuration.  To set the "logonType" configuration of an Application Pool, you will have to enter the following command:

"C:\Windows\System32\inetsrv\appcmd.exe" set apppool "<name of application pool>" /processModel.logonType:LogonService

Now, once IIS has been restarted, the Windows user account logon performed for the Application Pool Identity will be able to interact with the Service Account eDirectory Login configuration.  Same as for other normal services, the registry key that needs to be created will be the Windows user account name.  For example, [HKEY_LOCAL_MACHINE\Software\Novell\Login\Service Account eDirectory Login\MyServiceUser] if the Windows account name being used is "MyServiceUser". 

Like other Windows service logons, by default the eDirectory login attempt will use the Windows account password used for the WIndows service logon.  So there will not need to be a "DefaultPassword" value configured in the Service Account eDirectory Login configuration for this case, unless the eDirectory account password is different than the Windows account password name.

If you are unsure what the "logonType" configuration is for the existing Application Pools, run the following command and look at the "logonType" field that exists for any of the application pools that have been configured to logon as a specific Windows user account for the Application Pool Identity:

"C:\Windows\System32\inetsrv\appcmd.exe" list apppool /config:* /xml


Additional Information Regarding UNC Paths

If configuring IIS to directly use UNC paths as the source for content, it may be necessary to modify the following registry settings used by the IIS services.  These settings are needed to remove the dependency on directory change notification and use the polling based change notification.  See the Microsoft "Description of the registry keys that are used by IIS 7.0, IIS 7.5, and IIS 8.0" (https://support.microsoft.com/en-us/help/954864/description-of-the-registry-keys-that-are-used-by-iis-7-0-iis-7-5-and) for additional information.

Under the [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W3SVC\Parameters] subkey, create a 32-bit DWORD value:
"ConfigPollMilliSeconds" with data 0x00001388

Under the [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\InetInfo\Parameters] subkey, create two 32-bit DWORD values:
"DoDirMonitoringForUnc" with data 0x00000000
"FileAttributeCheckThreshold" with data 0x00000005

If the ASP service is also installed as part of IIS, under the [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ASP\Parameters] subkey, create two 32-bit DWORD values:
"FileMonitoringTimeoutSeconds" with data 0x00000005
"EnableChangeNotificationForUNC" with data 0x00000000