1

I set up an ASP.NET web site. I set as many settings as I know how to set to my personal user account, including:

  • The app pool identity is set to my personal user account.
  • Authentication for both "Anonymous" and "ASP.NET Impersonation" settings are set explicitly to target my personal user account, and both are enabled.

When the web app executes a request, it invokes PowerShell to run the 'git config' command. When invoking PowerShell, I also specify the invocation option to FlowImpersonationPolicy, just to try to be sure the correct identity makes it all the way to git. At runtime, just before PowerShell is invoked by the web app, the value of System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString() is indeed my user account.

The problem is that the output of 'git config' is different when I run the app in visual studio vs when I run it hosted on my local IIS instance, which is configured as I described above. When I run the web app in Visual Studio, the same identity appears as appears in IIS, but the output of git config is different.

When it runs git config --show-origin -l from the Visual Studio-hosted version, I see that it's correctly picking up the global settings for my user account at "c:\users\myusername.gitconfig". However, when the same web app runs deployed under IIS, the command does not list configurations at that location.

So it seems like the git command is not running under or is not aware of my user account, even though everything appears to be invoked by my user account. Am I missing something?

Triynko
  • 18,766
  • 21
  • 107
  • 173
  • I even added "[System.Security.Principal.WindowsIdentity]::GetCurrent().Name" within the powershell script, and it's using the correct identity. So I have no idea why 'git config' in the context of being hosted in IIS fails to find global user settings, but finds them fine when running in the exact same code hosted by IIS Express in Visual Studio. – Triynko Jan 09 '19 at 07:32
  • Hmmm... I used 'everything.exe' to locate all .gitconifg files on my drive and found one at "C:\Windows\System32\config\systemprofile". Sure enough, it's a default for my user account, which I assume I generated by running the 'git config --global --edit' command within the app in an attempt to find it's location. It was windowless, so I never saw the editor, but I can infer by the existence of this file that it had the effect of creating it. So now the question is... why is my identity my user account, but the profile is some kind of system profile in IIS? Wrong profile loaded? – Triynko Jan 09 '19 at 08:18
  • Even if I copy my user's .gitconfig file over that one and git picks up all the right settings... they still aren't used correctly, probably because of this bogus/incorrect system profile that IIS is trying to use instead of my own user's profile. So things like 'wincred' as the credential manager are probably looking in the wrong place. This is very annoying. I need a way to truly run IIS request as a particular user, with all the profile-related bells and whistles, and without this system profile nonsense. Works fine in IIS express, but not IIS. – Triynko Jan 09 '19 at 08:28
  • Related: https://stackoverflow.com/questions/9490107/iis-7-5-application-pool-uses-wrong-appdata-for-custom-user-as-identity – Triynko Jan 10 '19 at 19:58

1 Answers1

1

It seems that there's a hidden setting in IIS that's not exposed through the IIS Manager U.I.

The "loadUserProfile" option is in the U.I. and is set to true, but there's another setting called "setProfileEnvironment" that must also be set to true in order for the user profile to actually work and be visible to Git and other processes started from IIS.

The setting is under the application pool's processModel section in the file "%WINDIR%\System32\inetsrv\Config\applicationHost.config". You can change the defaults for the setting in the applicationPoolDefaults/processModel section or just change the settings for the individual app pool's processModel section.

system.applicationHost settings

Unfortunately, this settings is not exposed in the IIS Manager U.I. like Load User Profile is.

enter image description here

Triynko
  • 18,766
  • 21
  • 107
  • 173
  • Unfortunately, although this get Git the correct config values from the profile setting, I'm still getting connection errors. So there's still something different about how the command is run under IIS vs IIS Express. This obscure setting that needed switched on just to get the config right does not give me much hope in finding whatever else might need set. – Triynko Jan 10 '19 at 21:03