Process only works from Web Application when using Local System Application Pool Identity

Question

I have a command line Process that I am attempting to run from my ASP.Net web application.

When the IIS7.5 Application Pool Identity is set to "Local System", the command line code executes. When it is set as ApplicationPoolIdentity, it does not. Since using the "Local System" is a security risk, I would simply like to grant the required permissions to the ApplicationPoolIdentity rather than using Local System.

If I understand this answer corretly: IIS AppPoolIdentity and file system write access permissions, the User "IIS AppPool[my app pool]" needs to be given permissions to whatever folders that my command line process will be modifying. I have tried giving full permissions to this user for that folder, but it still does not work. I have also tried full permissions for IUSR and IIS_USRS. Please see my code below:

using (Process process = new Process())
        {
            process.StartInfo.FileName = fileToExecute;
            process.StartInfo.Arguments = arguments;
            process.StartInfo.UseShellExecute = false;
            process.StartInfo.RedirectStandardOutput = true;
            process.StartInfo.RedirectStandardError = true;

            StringBuilder output = new StringBuilder();
            StringBuilder error = new StringBuilder();

            using (AutoResetEvent outputWaitHandle = new AutoResetEvent(false))
            using (AutoResetEvent errorWaitHandle = new AutoResetEvent(false))
            {
                process.OutputDataReceived += (sender, e) =>
                {
                    if (e.Data == null)
                    {
                        outputWaitHandle.Set();
                    }
                    else
                    {
                        output.AppendLine(e.Data);
                    }
                };
                process.ErrorDataReceived += (sender, e) =>
                {
                    if (e.Data == null)
                    {
                        errorWaitHandle.Set();
                    }
                    else
                    {
                        error.AppendLine(e.Data);
                    }
                };

                process.Start();

                process.BeginOutputReadLine();
                process.BeginErrorReadLine();
                int timeout = 1000;
                if (process.WaitForExit(timeout) &&
                    outputWaitHandle.WaitOne(timeout) &&
                    errorWaitHandle.WaitOne(timeout))
                {
                    Logs logs = new Logs("Finished! - Output: " + output.ToString() + " | Error: " + error.ToString());
                    logs.WriteLog();
                }
                else
                {
                    // Timed out.
                    Logs logs = new Logs("Timed Out! - Output: " + output.ToString() + " | Error: " + error.ToString());
                    logs.WriteLog();
                }
            }
        }

Thanks in advance for any help!!!

score 3 · Accepted Answer · answered May 20 '13 at 15:00

3

It turns out that the setting "Load User Profile" under the Advanced Settings in the Application Pool had to be set to true. By doing this the PGP encryption program was able to use the profile for temporary data storage, etc.

answered May 20 '13 at 15:00

jpsnow72

965
2
15
45

Jay Zelos · Answer 2 · 2013-05-16T12:23:05.670

1

Try giving permissions to the IIS_IUSRS account.

Also, make sure the account has execute permissions on the file you're calling and any libraries it references.

I created some test code (below), the folder secret was given system and admin permissions only (not user). This means IIS could not view it by default (tested). I then gave IIS_IUSERS read permissions and it worked fine.

(results was displayed on screen)

Dim compiler As New Process()
compiler.StartInfo.FileName = "C:\Windows\System32\cmd.exe"
compiler.StartInfo.Arguments = "/C dir c:\Secret"
compiler.StartInfo.UseShellExecute = False
compiler.StartInfo.RedirectStandardOutput = True
compiler.Start()
Dim results As String = compiler.StandardOutput.ReadToEnd()
compiler.WaitForExit()

If your not sure what files need permissions, there is a program called process explorer that should enable you to see exactly what's in use.

http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx

edited May 16 '13 at 12:23

answered May 15 '13 at 12:23

Jay Zelos

1,409
1
9
10

I have tried giving full permission to IIS_IUSRS and IUSR, but still have the same problem. Updating my question with this information. – jpsnow72 May 15 '13 at 12:28
What errrors are being reported in the event log? – Jay Zelos May 16 '13 at 10:31
Also, I have tried granting that user full permissions to the pgp.exe file that I am attempting to execute through the web app. – jpsnow72 May 16 '13 at 10:55
pgp.exe may reference some DLL's, that could be worth checking. (or give permissions to the folder it sits in) – Jay Zelos May 16 '13 at 12:18

Gregor Primar · Answer 3 · 2013-05-18T21:24:17.240

1

What you can do is to create new windows account and assign rights that are required.

Type "mmc" inside start menu, this will open Management Console. Go to "File" menu and select "Add/Remove Snap-in...". Select "Local Users and Groups" then "Add".

enter image description here

Next add "Group Policy Object" in the same way as previous snap-in. You will endup with something like this:

enter image description here

Now create new windows user. Since you most likely dont want to allow this new user to be able to login localy we need to set aditional settings. Navigate to User Rights Assigment, you should see something like this:

enter image description here

Double click "Deny log on locally" and add your new user. Make sure you will also set apropriate file system rights.

In the end just open IIS Manager and assign new user to your application pool.

Best regards

edited May 18 '13 at 21:24

answered May 18 '13 at 21:15

Gregor Primar

6,759
2
33
46

Thanks for the answer. I gave this a try and still can't get the PGP software to work. I gave the new user rights to the exe and other directories I thought it may need. – jpsnow72 May 20 '13 at 12:09
1

Then it's most likely you are still missing some rights. You can check eventlog if you can find any additional data. In other case you can use tools such as Filemon and Regmon to determine what resources you need but it can be a slow process since you we against a lot of data in short monitoring time... I guess the best option would be to contact PGP provider to give you an exact list of permissions that are required to run this software. – Gregor Primar May 20 '13 at 12:46
Thanks for the help... Speaking with them now about possible resources that may need permissions – jpsnow72 May 20 '13 at 14:23

score 0 · Answer 4 · answered May 16 '13 at 12:42

I had a similar issue a while back while deploying a few web applications. In the end we solved our permissions issue by granting permission to:IIS_USRS,IUSR, LocalMachineName\Users, LocalMachineName$,SYSTEM, (and if your application is within a domain DomainName\IIS_WPG, DomainName\Domain Users)

NOTE: Within the Web.config

 <authentication mode="Windows" />
        <authorization>
            <deny users="?" />
            <allow users="*"/>
        </authorization>
<identity impersonate="false" />

Process only works from Web Application when using Local System Application Pool Identity

4 Answers4