IIS Server Security, Howto refresh IIS 6 Application pool identity credential info

Ken,

Thx for the response, but stopping/starting the application pool doesn't help.
It seems that the domain account security is cached at startup of IIS, and
doesn't change until IISRESET is executed. After IISRESET, I see that the
logon time for the account has changed (using sysinternals tool). An
application pool restart doesn't change the credential info.

FYI,
the sysinternal tool shows that it has an authentication package of type
Kerberos and the logon type is Batch. So I think the solution could be found
in "renewing" the Kerberos ticket, but I have no idea how to do that.

IISRESET does the job so the code is somewhere in there :-(.

Kind regards,
Peter

"Ken Schaefer" wrote:

> You should just be able to restart the web application pool in question.
>
> Cheers
> Ken
>
>
> "Peke" < XXXX@XXXXX.COM > wrote in message
> news: XXXX@XXXXX.COM ...
> > Hi,
> >
> > We are having problems with the following situation.
> >
> > If we change security settings for an application pool identity (something
> > like putting it in a security group (to have NTFS access on a folder,
> > accessible through a virtual directory in IIS)), the access is only
> > granted
> > after IISRESET. It's a domain account (I don(t know if this is
> > important.).
> > It seems like we have the following scenario :
> > On start of IIS, all application pool identities are given a logon
> > session.
> > I can see that using logonsessions.exe from sysinternals.
> > The logon session is only refreshed/renewed after IISRESET.
> > Is there a better , less impacting , way to get the specific logon
> > sesssion
> > renewed ?
> >
> > Grtz,
> >
> > Peter
> >
>
>

Ken,

FYI, the results of logonsessions.exe (SysInternals)

Logon session 00000000:0327e6da:
User name: DEV\NfnOUser
Auth package: Kerberos
Logon type: Batch
Session: 0
Sid: S-1-5-21-1275210071-688789844-725345543-4792
Logon time: 7/02/2008 7:58:32
Logon server: DEVDC1
DNS Domain: DEV.DIGANT.ANTWERPEN.LOCAL
UPN:

--- application pool stop/start

Logon session 00000000:0327e6da:
User name: DEV\NfnOUser
Auth package: Kerberos
Logon type: Batch
Session: 0
Sid: S-1-5-21-1275210071-688789844-725345543-4792
Logon time: 7/02/2008 7:58:32
Logon server: DEVDC1
DNS Domain: DEV.DIGANT.ANTWERPEN.LOCAL
UPN:

---> nothing changed


--- IISRESET

Logon session 00000000:04efb566:
User name: DEV\NfnOUser
Auth package: Kerberos
Logon type: Batch
Session: 0
Sid: S-1-5-21-1275210071-688789844-725345543-4792
Logon time: 11/02/2008 7:49:36
Logon server: DEVDC1
DNS Domain: DEV.DIGANT.ANTWERPEN.LOCAL
UPN:

---> new logon session (session ID and logon time)

Grtz,

Peter

Hi Peter,

What you detected should be an expected behavior. Have you also tried
access any resources on the web site after changing application pool's
identity and restarting/recycling the pool? If so, you should see a logon
event with the changed credential when the new http request is arriving.
The fact is:

After we change a pool's identity, the custom user account's username and
password is simply encrypted and saved by IIS without any validation or
logon attempts. That's why you don't see the credential change immediately.
As soon as a new request to the corresponding web site which the AppPool
needs to serve comes in, IIS W3SVC service will then start up a new worker
process(w3wp.exe - can be viewed in task manager or process explorer, etc)
with the new identity. You should see the expected logon attemps at that
time.

The difference of IISRESET here is when we restart the whole IIS services,
the startup process will try to test logon all the identity accounts to
check if all the username and password are valid. If not, IIS will disable
that pool.

Furthermore, a main problem of using custom domain account as application
pool identity is we must manually setup SPN for Kerberos to work for
Integrated Windows authentication. Also only one SPN(of the domain account)
can be set for HTTP service on the server. Otherwise, you will need to use
NTLM.

871179 You receive an "HTTP Error 401.1 - Unauthorized: Access is denied
due to invalid credentials" error message when you try to access a Web site
that is part of an IIS 6.0 application pool
http://support.microsoft.com/default.aspx?scid=kb ;EN-US;871179

I hope the above information helps. Please update here if you have any
further question.

Have a nice week.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx #notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

ello WenJun,

Sorry for the delay.
Thx for enlightning the working of security in IIS 6.

I will try the following :
stop the application pool, change the password of the application pool
identity to an invalid value, start the application pool, make a request -->
app pool will get disabled, change the password of the application pool
identity to a its original (valid) value, start the application pool, make a
request.

Will this solve the problem ?
Or is there another way to do something like IISRESET but just for one
application pool (or account) ?


About the domain user account as an application pool identity.

I know that using domain accounts is a problem. That's why we disabled the
Kerberos Authentication (changed Negotiate to NTLM).

I'll try to explain the reason why we are using domain accounts for the
application identity. Our applications (.NET) are build using a multilayered
architecture : UI, WebService, BusinessFacade, BusinesRules, DataAccess,...
(Some newer applications use the new layers as proposed in Service Software
Factory (codeplex), but still the ASMX version). The applications have
application security based on roles and privileges (custom made) (comparable
to AzMan, which didn't exist at that time). Wat we are trying to achief is to
have a 'simple' centralized security management model. We check the security
(priviliges) in the 'business' part and we access the data store (DB, File
System, other WS, ...) with the identity of the application pool (= owner of
the W3WP.exe process) using Integrated Security. In other words : No EndUsers
have to be managed to secure the data store(s) and we're using integrated
security (which is safe) to access the data store. Only Administrators
know/have access to the password of the application pool identity.

Is there a better way to achieve the same ? (and solve the setspn stuff)
(perhaps .NET impersonation, but we don't want any credential info in the
config file).

Kind regards,

Peter






""WenJun Zhang[msft]"" wrote:

i WenJun,

I've tried the 'invalidate' application pool trick I described below, but
that didn't help. I do see an authentication entry for the specified user in
Security Event log, but it seems like it's just reusing the logonsession info
:

Logonsession info before invalidate :

[91] Logon session 00000000:080309d0:
User name: DEV\VtgOUser
Auth package: Kerberos
Logon type: Batch
Session: 0
Sid: S-1-5-21-1275210071-688789844-725345543-3948
Logon time: 13/02/2008 11:12:56
Logon server: DEVDC1
DNS Domain: DEV.DIGANT.ANTWERPEN.LOCAL
UPN:

Logonsession info after invalidate en correct user (entry in Security Event
log)

[95] Logon session 00000000:080309d0:
User name: DEV\VtgOUser
Auth package: Kerberos
Logon type: Batch
Session: 0
Sid: S-1-5-21-1275210071-688789844-725345543-3948
Logon time: 13/02/2008 11:12:56
Logon server: DEVDC1
DNS Domain: DEV.DIGANT.ANTWERPEN.LOCAL
UPN:

--> nothing changed : same logon session id, same logon time, ...

Logonsession info after IISRESET :

[50] Logon session 00000000:08153dc4:
User name: DEV\VtgOUser
Auth package: Kerberos
Logon type: Batch
Session: 0
Sid: S-1-5-21-1275210071-688789844-725345543-3948
Logon time: 13/02/2008 11:47:58
Logon server: DEVDC1
DNS Domain: DEV.DIGANT.ANTWERPEN.LOCAL
UPN:


--> NEW logon session ID, new logon-time --> all working fine.


So I think I need something like IISRESET but only for a specific
Application pool/User. Any ideas ?


Greetings,

Peter

"Peke" wrote:

Hi Peter,

What's the result if you change it to another user account instead of
invalid password? Will it still logon the previous account?

I think dynamically changing the application pool identity in web
application code is a good enough design. If your web application need to
access resource with special required privilege, impersontion is the
recommended approach. Other than saving the username password in
configuration file, you should consider directly implement impersonation in
your code. Please refer to "Impersonate the Authenticating User in Code" in
below article:

How to implement impersonation in an ASP.NET application
http://support.microsoft.com/kb/306158/en-us

The code of .net fx 3.5:

WindowsIdentity..::.Impersonate Method
http://msdn2.microsoft.com/en-us/library/w070t6ka.aspx

Please let me know if you have any further concern on this.

Have a nice day.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx #notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Hello WenJun,

After changing the appliction pool id with a new account that doesn't
already have a logon session, a new logon session is created for the new
account. If I use an account that already has a logon session, that logon
session is reused (logon session info stays the same).

Changing the identity account is not an option in our environment because
the account is used to access the backend.

Our policy is that a developer doesn't need to know the application account
and even can't find out (programmatically) what the password is for the
application account (which accesses the back-end).

If we would use the programmatic impersonation, the developer can get the
password because the account is created programmatically and the password
will be available.

So I guess I'm back where I started --> How can I force a refresh (or purge)
of the logon session for a particular account like IISRESET does ?

BTW, I'm not really a developer.

Regards,

Peter

Peter,

Due to the issue and further investigation is going to be more and more
complicated, we may not be able to get a final conclusion in the newsgroup.
I'd like to suggest you use one of your MSDN Technical Support Incidents to
work with us via telephone based support. This will be the most effective
way to assist you on complicated and project based issue. Also you won't
even need to spend the incident account if the problem is finally confirmed
to be a product issue or can be simply fixed by applying hotfix. Please
refer to the support note below.

About the information of free incident support for MSDN subscribers, please
look at:
http://msdn.microsoft.com/subscriptions/support/default.aspx.

To obtain the phone numbers for Microsoft Customer Service and Support
services technology request, please take a look at the web site listed
below.
http://support.microsoft.com/default.aspx?scid=fh ;EN-US;PHONENUMBERS

Thanks.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx #notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Hi WenJun,

Thx for the effort.

Before opening a case I want to try one more thing :
purge the logon session, any idea how to do that ?

Peter

Hi Peter,

Definitely this has been out of the scope of IIS newsgroup.. Probably it
has something to do with the WM_QUERYENDSESSION and WM_ENDSESSION Windows
messages. You may take a look at:

Logging Off
http://msdn2.microsoft.com/en-us/library/aa376876 (VS.85).aspx

Have a nice week.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx #notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Hello WenJun,

Thx for all the information.

Kind regards,

Peter

an you explain why you want to dynamically change the security
permissions on the Application Pool Identity user?

The reason why SetSPN is failing is the same sort of logic behind why
you cannot dynamically change the security permissions on the
Application Pool Identity.

Imagine this scenario -- you have a web garden with lazy read (i.e.
don't recycle on config change) enabled, and you change permissions on
Application Pool Identity. *IF* things changed immediately, you end up
with w3wp.exe each with different security permissions and further
security implications.

Or in your scenario, what happens if two users which required
different permissions on the Application Pool Identity try to use the
same application served by the same application pool. The w3wp.exe can
only have one process identity, so one of those two users must wait
until the other is done -- not a good user experience.

Basically, we did not design for Process Identity changing on the fly
like that - we designed for thread impersonation to be changing on the
fly like that. The Process Identity is the base unit of isolation.
Impersonation is the base unit of functionality.

Is there anything that prevents you from using a single domain account
as Application Pool identity, and you dynamically impersonate
(depending on your application framework layer, this may be easy).
Because when you do that, SetSPN will also work against your single
fixed Application Pool identity, and I believe impersonation flows
outward on your next hop to the DB, FileSystem, etc.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Feb 25, 11:28m, Peke < XXXX@XXXXX.COM > wrote:

ello David,

Sorry for the delay.

I'll try to explain how our applications work.

We develop .NET application using multitier-layer (UI, Webservice, ...).
We've build our own application security, comparable to AzMan, which wasn't
available at that time (Windows 2000 Active Directory) ; it is based on roles
and privileges.

IIS (6) is configured to use 'Integrated Security'.

Basically : users are put in a group (or removed from if they no longer need
access) that has Read rights on the filesystem where the IIS virtual
directory (or IIS virtual server) is pointing to.

The user's privileges are checked in the business part (Business Facade),
and from that point de application pool identity (a domain user) is used to
access the data store(s).
That 'data store' can also be another WebService (Service Agent).
--> this is where the problem is : the application pool identity is becoming
a member of another group to get access to the other application. But the
security context is only 'refreshed' after IISRESET.

A few reasons why we do it that way :
- Easy security maintenance on the data store (only the application pool
account needs the necessary rights).
- A developer doesn't have to do anything special in code.
- Application pool identity password is not available in code (and can't be
mis-used; if we would use impersonation -using config file or in code - then
the password would be available).

I hope this makes any sense.

Do you have any suggestions ?

Kind regards,

Peter

P.S. You mentioned something about 'lazy read', no recycle on config change,
how is this done ?



"David Wang" wrote:

'm sorry, but I do not have any suggestions. I understand what you
are doing and it is pretty clever to a degree, but I believe there are
fundamental problems with your design beyond just incompatibility with
IIS6 that you must choose another design.

IIS is being consistent with security while what you are doing is not
consistent with security (but I do admit it is clever and can be
convenient in some contexts), so it is unlikely IIS will change. I
understand that you have an existing codebase that is being migrated,
so it is really not going to change. So the design has to change.

For example, your design either serializes access to the webserver to
one user at a time, or it is insecure. How? Proof by contradiction --
assume two different users belong to two different user groups have
authorized access overlapping in time. User1 comes in and the AppPool
identity changes group membership to have Group1 and accesses data.
While this is happening, User2 comes in and the AppPool identity
*needs* to change group membership to have Group2 and access data.
What if the two groups are different or conflicting in access
privileges -- you certainly do not want User1 to temporarily have
access to files of User2 simply because your AppPool Identity
momentarily has group membership in both Group1 and Group2 while both
users are accessing different resources through the same system at
overlapping times. Thus, to be secure, the process identity must be in
only one Group at a time, which means that only one user can be
actively using the web server at a time --> this is serialization. Or
if you allow multiple users simultaneously it means that User1 will
temporarily run with a process identity that is in both Group1 and
Group2, thus have additional and/or contradicting privileges --> this
is insecure.

Also, what if the action triggered by the user is asynchronous? How do
you ensure that the user group membership of the Process Identity on
the async callback is the same one as when the call was first made?
Remember, the async callback can happen at any time.

The only secure way to use your authorization scheme using Group
Membership is to make everything synchronous and single user, which
works but will never scale.

Basically, your design looks clever and avoids passwords, but it is
really not feasible when you look at the details. You basically mapped
Roles to Group Membership and to avoid passwords you chose the Process
Identity. However, this fails for all the reasons I stated above, so
IIS never allowed such behavior in Application Pool Identity (let's
not even get into how your scheme plays havoc with Web Garden, or Skip
Process Recycle on Config Change).

Impersonation with user identities and having delegation enabled on
credentials with static and diverse Group Membership flowing through
the system is really the built-in option of how to be secure and
scalable. AzMan approach is a suitable alternative where the Roles are
dynamically bound.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//





On Mar 4, 11:08m, Peke < XXXX@XXXXX.COM > wrote:

avid,

Thx for the response. I understand what is going on so I'll have to discuss
this with our security people.

In your previous mail, you mentioned something about 'lazy read', no recycle
on config change; how is this done ?

Kind regards,

Peter


"David Wang" wrote: