Roger, Thanks for your valuable help. Sorry about the delay in reply - I was call to another project and had to leave this. Yes! I agree, I might not be quite clear on how it all functions yet - as my solution is not working. Below, I have tried to clarify what I need to achieve, and my current undestanding. There appears to be an IIS / Kerberos bug outlined by Microsoft which might be what is causing me grief (if my understanding is , in fact, correct)
I am trying to implement several web applications running under one application pool which uses a domain account for its identity - on a Win 2k3 server. I want IIS configured for only Windows authenitaction for these applications. I then need to have each application, impersonating by using a different account (some will be domain accounts; some will be local accounts). For this I am using the impersonation tag in the web.config file of each web app. The credentials for these accounts are encrypted and stored in the registry using the aspnet tool provided by Microsoft.
My understanding is that IIS should 'transparently' authenticate domain users for each sessions. Then each web app operates (thread runs) as the account specified in the web.config file to access any resouces (and access databases - say - using trusted connection). If I am correct, you are saying that due to the web.config impersonations, the app pool identy will be over-ridden and will also run under the context of the impersonation account specified in the web.config file - for each session for each web app?
As far as NTFS security goes then, I would need to add the impersonating accounts to the IIS_WPG work group and also specify permissons at the root level of root of each application (or give IIS_WPG read;write;execute permissions for each web app root foler & sub folders) .
I should then restrict or permit access to the website for the windows accounts via the 'allowing' and 'denying' users and roles as required via the Authorozation tag in the web.config files of each web app.
Further, to make any calls to web service web methods on Web servers in the domain, I would need actively set credentials with the Web Method call (NetworkCredentials). For this, I could establish the user credentials (=the impersonated account) or use some other credentials - depending on the need.
If my understanding is correct (and my solution is not working), then I might be having some problems relating to the MSDN article (
http://support.microsoft.com/default.aspx?scid=kb;en-us;871179) - because I only seem to be able to run the web applications with Annonymous selected (in addition to windows authenticatioin) - in IIS. I have also followed the article on.
Hopefully you can spot any flaws in my understanding so that I can head in the right direction to get this sorted.
Thanks
Grant_S
From
http://developmentnow.com/g/91_2007_2_0_0_936661/Application-pool-identity.htm Posted via DevelopmentNow.com Groups
