Process only works from Web Application when using Local System Application Pool Identity

StackOverflow https://stackoverflow.com/questions/16485692

Question

I have a command line Process that I am attempting to run from my ASP.Net web application.

When the IIS7.5 Application Pool Identity is set to "Local System", the command line code executes. When it is set as ApplicationPoolIdentity, it does not. Since using the "Local System" is a security risk, I would simply like to grant the required permissions to the ApplicationPoolIdentity rather than using Local System.

If I understand this answer corretly: IIS AppPoolIdentity and file system write access permissions, the User "IIS AppPool[my app pool]" needs to be given permissions to whatever folders that my command line process will be modifying. I have tried giving full permissions to this user for that folder, but it still does not work. I have also tried full permissions for IUSR and IIS_USRS. Please see my code below:

using (Process process = new Process())
        {
            process.StartInfo.FileName = fileToExecute;
            process.StartInfo.Arguments = arguments;
            process.StartInfo.UseShellExecute = false;
            process.StartInfo.RedirectStandardOutput = true;
            process.StartInfo.RedirectStandardError = true;

            StringBuilder output = new StringBuilder();
            StringBuilder error = new StringBuilder();

            using (AutoResetEvent outputWaitHandle = new AutoResetEvent(false))
            using (AutoResetEvent errorWaitHandle = new AutoResetEvent(false))
            {
                process.OutputDataReceived += (sender, e) =>
                {
                    if (e.Data == null)
                    {
                        outputWaitHandle.Set();
                    }
                    else
                    {
                        output.AppendLine(e.Data);
                    }
                };
                process.ErrorDataReceived += (sender, e) =>
                {
                    if (e.Data == null)
                    {
                        errorWaitHandle.Set();
                    }
                    else
                    {
                        error.AppendLine(e.Data);
                    }
                };

                process.Start();

                process.BeginOutputReadLine();
                process.BeginErrorReadLine();
                int timeout = 1000;
                if (process.WaitForExit(timeout) &&
                    outputWaitHandle.WaitOne(timeout) &&
                    errorWaitHandle.WaitOne(timeout))
                {
                    Logs logs = new Logs("Finished! - Output: " + output.ToString() + " | Error: " + error.ToString());
                    logs.WriteLog();
                }
                else
                {
                    // Timed out.
                    Logs logs = new Logs("Timed Out! - Output: " + output.ToString() + " | Error: " + error.ToString());
                    logs.WriteLog();
                }
            }
        }

Thanks in advance for any help!!!

Was it helpful?

Solution

It turns out that the setting "Load User Profile" under the Advanced Settings in the Application Pool had to be set to true. By doing this the PGP encryption program was able to use the profile for temporary data storage, etc.

OTHER TIPS

Try giving permissions to the IIS_IUSRS account.

Also, make sure the account has execute permissions on the file you're calling and any libraries it references.

I created some test code (below), the folder secret was given system and admin permissions only (not user). This means IIS could not view it by default (tested). I then gave IIS_IUSERS read permissions and it worked fine.

(results was displayed on screen)

Dim compiler As New Process()
compiler.StartInfo.FileName = "C:\Windows\System32\cmd.exe"
compiler.StartInfo.Arguments = "/C dir c:\Secret"
compiler.StartInfo.UseShellExecute = False
compiler.StartInfo.RedirectStandardOutput = True
compiler.Start()
Dim results As String = compiler.StandardOutput.ReadToEnd()
compiler.WaitForExit()

If your not sure what files need permissions, there is a program called process explorer that should enable you to see exactly what's in use.

http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx

What you can do is to create new windows account and assign rights that are required.

Type "mmc" inside start menu, this will open Management Console. Go to "File" menu and select "Add/Remove Snap-in...". Select "Local Users and Groups" then "Add".

enter image description here

Next add "Group Policy Object" in the same way as previous snap-in. You will endup with something like this:

enter image description here

Now create new windows user. Since you most likely dont want to allow this new user to be able to login localy we need to set aditional settings. Navigate to User Rights Assigment, you should see something like this:

enter image description here

Double click "Deny log on locally" and add your new user. Make sure you will also set apropriate file system rights.

In the end just open IIS Manager and assign new user to your application pool.

Best regards

I had a similar issue a while back while deploying a few web applications. In the end we solved our permissions issue by granting permission to:IIS_USRS,IUSR, LocalMachineName\Users, LocalMachineName$,SYSTEM, (and if your application is within a domain DomainName\IIS_WPG, DomainName\Domain Users)

NOTE: Within the Web.config 

 <authentication mode="Windows" />
        <authorization>
            <deny users="?" />
            <allow users="*"/>
        </authorization>
<identity impersonate="false" />
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top