0

Turns out the web role .aspx page and web role code run in two separate processes with the default "Full IIS" mode. The problem for the application I'm to port is that .aspx handler needs access to the local filesystem and since it now runs under MachineName\\NETWORK SERVICE account it has no such access.

AFAIK I could do one of the following.

First, I could grant access to necessary subfolders to user MachineName\\NETWORK SERVICE while in an startup task. That will work, but looks insecure - anything running under MachineName\\NETWORK SERVICE will get the same access and this can introdude a vulnerability.

Second, I could somehow force IIS to run the role website in a dedicated pool running under a dedicated user and grant access to that user. That sounds good, but I'm not sure I can do that (specifically force IIS to create a dedicated pool running under a specific user) automatically - either within a role configuration file or within a startup task.

Third, I could move all dealing with the filesystem onto the code that belongs to the role and is running inside WaIISHost.exe. That will require some redesign.

Which option of the above is most convenient and follows best practices most closely? What other options are there? How do I address the situation?

Community
  • 1
  • 1
sharptooth
  • 167,383
  • 100
  • 513
  • 979

1 Answers1

1

Second, I could somehow force IIS to run the role website in a dedicated pool running under a dedicated user and grant access to that user. That sounds good, but I'm not sure I can do that (specifically force IIS to create a dedicated pool running under a specific user) automatically - either within a role configuration file or within a startup task.

Wade Wenger's blog is brilliant for this type of question

Here's how to setup the web role under a specific user:

http://www.wadewegner.com/2011/01/programmatically-changing-the-apppool-identity-in-a-windows-azure-web-role/

Stuart
  • 66,722
  • 7
  • 114
  • 165
  • Looks great, but how do I obtain a username and (especially) password for that user? Do I create a new user instead? – sharptooth Jun 07 '11 at 05:54
  • Not sure - but you could look at the way the remote desktop functionality installs users and see if you can adapt that? Alternatively, if the role start is running elevated, then you could create a new user/role there? – Stuart Jun 07 '11 at 07:35
  • Emm. What exactly do I look at regarding "remote desktop functionality" you mention? – sharptooth Jun 07 '11 at 07:41
  • Actually - looking at it again then I think this remote desktop user won't be the easiest to use - too hard coded - so you'd be better off creating a new user using `net user /add` - see http://www.davidaiken.com/2011/01/19/running-azure-startup-tasks-as-a-real-user/ – Stuart Jun 07 '11 at 07:56