Thank you for the input;
[quoted text, click to view] > In your case, you are trying to use a different account because you want
> to
> restrict that account to some files you're accessing on the file system
Actually, no we aren't; this is nothing to do with access to files (although
we are using the identity to provide access to the database, but that's a
few steps past the "Service Unavailable" failure).
All we are doing here is assigning identity to the app-pool to achieve a:
true application-isolation, b: allow for trusted access to the database, and
c: move the credentials outside of the visibility of the web application
(specifically, outside of web.config; even encrypted, the details are
transparent to anything inside the application).
Note that this should (by all accounts) work just fine; it has worked on
every server we have tried, and now it is failing as we attempt to implement
on the live system (d'oh!). Obviously something is breaking it, but we don't
know what (yet); a vanilla install with all patches, changes etc works fine.
Marc
[quoted text, click to view] "Pandurang Nayak" <pandurangATthinkingmsDOT(nospam)com> wrote in message
news:25104C76-5E71-4D69-AAE7-C86697E240F7@microsoft.com...
>I don't really know what the problem is at your end. But the general
>practice
> is to use either Anonymous Access or Windows Authentication to a web
> service.
>
> In your case, you are trying to use a different account because you want
> to
> restrict that account to some files you're accessing on the file system.
> For
> that, in the code that does the file system interaction, impersonate the
> user
> account you created and use that account while reading/accessing the
> files.
>
> That way, client to WS access remains with the IIS defaults and WS to file
> access is controlled by the rights you have defined.
>
> That might be a design you want to consider - relatively simpler to
> configure and even more simpler to maintain if you wanted to move servers,
> etc.
>
> Regards,
> Pandurang
>
> --
> blog:
www.thinkingMS.com/pandurang >
>
> "Marc Gravell" wrote:
>
>> I want to run a web-service under a custom (least required priveleged,
>> but
>> with /some/ access) account -but all I get is service unavailable;
>>
>> I have
>> * Created a new account
>> * Enabled logon as a service
>> * Added to the IIS_WPG group
>> * Ensured account has access to the relevant file system (read, list,
>> execute)
>> * Configured the app-pool to use the account
>>
>> This doesn't fix it; even adding to the local administrators group
>> doesn't
>> help! However, running as the local administrator account *does* work.
>>
>> So! Any idea what step I have missed?
>>
>> Marc
>>
>>
>>
