Running ASP.NET as NetworkService

Hot Topic

Error: Unable to open shim database
PGP encryption and decryption
Preventing .NET DLL execution
Connecting to a database and parameters in sql
Windows.Forms.Datagrid
Call VB Script in WebService
Solid business and technical benefits of moving to .net
Evaluate if IP Address is part of a subnet
Copying a XML file from 1 domain to another
Is it possible to force loading all assemblies before they are used?

.NET Development

Data Binding with hieracherial XML file
Need help in accessing web control from within Javascript.
.NET Framework - hotfix. Can I discard the original Framework?
how to copy dataset?
GridView wont display records if LIKE is used in Query
dataset filling from SQL - too cryptic!
Message box diplayed in timer.tick handler, not becoming modal
Permission Problem
Dataset serialization
2 projects same solution

Running ASP.NET as NetworkService

Hi,
I'm writing a ASP.NET Web Service that needs to access an external database (which uses Windows Authentication). However, ASP.NET runs as ASPNET account (I'm using .net 2.0 on Windows XP, IIS 5.1) and the server refuses to accept that. Running ASP.NET as "SYSTEM" works, but I'd rather not do that. Accessing the database through non-web-based means (i.e. Windows apps) works without any problems, the authentication runs into trouble only when I create Web Apps or Web Services.

The machine.config file has this entry in it :
<processModel autoConfig="true"/>
I tried putting in <processModel userName="NT Authority\NetworkService"/> but ASP.NET refused to start after that.

Can someone please guide me as to how to get ASP.net to run as NetworkService on my machine

Thanks.

Answer this question

Running ASP.NET as NetworkService

  • SFdesign

    Hi,
    Thanks for the info. I was using Windows Integrated auth in IIS. The issue was that changing the processModel userName to SYSTEM (or for that matter, impersonating myself) is that both these accounts have almost complete access to the system, and I did not think that was a good thing to do. I'm afraid I don't have too much knowledge of security-related issues - this is the first time I'm having to hop out of the box !

    I was under the impression that Network Service is an account that is automatically created under Win XP. Is it wise (or even possible) to create another account with the same name or to change the permissions of the existing one

    By the way, I have subsequently switched to Windows Server 2003, running IIS 6.0 as Network Service - so the problem does not arise any more.

    Thanks,
    Adarsh

  • Kjell Arne

    Hello Adarsh,

    I was under the impression that Network Service is an account that is automatically created under Win XP. Is it wise (or even possible) to create another account with the same name or to change the permissions of the existing one

    Yes it is automatically created. I have not seen anyone try to create a new user account with similar permissions. I think the following article is as close as we have to what the NetworkService account needs permissions to run as a worker process identity, so you might be able to create a new local user with similar rights etc.

    812614 Default permissions and user rights for IIS 6.0
    http://support.microsoft.com/ id=812614

    Also, if you're interested in getting up to speed on all these security topics then I highly recommend you download the free PDF book below:

    Building Secure ASP.NET Applications: Authentication, Authorization and Secure Communication
    http://msdn.microsoft.com/library/default.asp url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp

    Good luck,
    -Todd Foust




  • katrien

    Hello Adarsh,

    Have you tried implementing impersonation yet What authentication do you have set in IIS Basic/Anonymous/Integrated

    If you have only integrated security selected then try added <identity impersonate="true"/> to your web.config file. This way the request will be made as the user that was authenticated by IIS. Of course in this case you may be running into a double-hop delegation scenario. If that's the case, then try using only Basic Authentication. This way the client is authenticated at the web server, and then there is only a single-hop over to the database server.

    As far changing the process identity to NetworkService. You might be able to do this. Just specify the username of "NetworkService" and make sure this local account has the default worker process permissions etc. Take a look at this article for information about what rights are needed for the worker process identity in order for you to run it under a specific account:

    317012 Process and request identity in ASP.NET
    http://support.microsoft.com/ id=317012

    Also review these articles for more information on accessing resources from ASP.NET:

    810572 How to configure an ASP.NET application for a delegation scenario
    http://support.microsoft.com/ id=810572

    891031 Common security issues when you access remote resources from ASP.NET
    http://support.microsoft.com/ id=891031

    hth
    -Todd Foust



  • Running ASP.NET as NetworkService
Answer this question