Saturday, March 23, 2013

How to use Network Service Account to Access Resources in ASP.NET in the same domain

Our web application often need to access local or network resources in production environment. For example, our application have to access file server for read/write access in the same domain. In case, web application upload and save user account photo or document such as excel and word file. At that time, it need the Network Service Account that is least privileged, although it have network credentials which means that you can use it to authenticate against network servers.

By default, Microsoft Internet Information Services (IIS) 6.0 on Windows Server 2003 runs ASP.NET applications in application pools that use the NT AUTHORITY\Network Service account identity. This account is a least privileged machine account with limited permissions and an application that runs using this account has restricted access, network credentials, which means you can use it to access network resources and remote databases by using Windows authentication. The network resources must be in the same domain as your Web server or in a trusted domain. Normally, the Application Pool Identity in IIS7 is "ApplicationPoolIdentity" by default and in IIS5 or IIS6, is "NetworkService" by default. Let's start here, to use the NT AUTHORITY\Network Service machine account to access local and network resources in Web Farm.

1. Configuring IIS Application Pool Identities
First, we check what Application Pool our web application use as follow:


Go to IIS, click on your web application and click "Advanced Settings".


Now, you see your application use "DefaultAppPool" Application Pool. If you want to change it to another, click the ellipsis (the button with the three dots). The following dialog appears.


Select the Application Pool you want from the combo box and Press OK button. Now, we know already what Application pool we used. Then we change the Identity Type for Application Pool.
Go to IIS, select "Application Pool" node and then select Application Pool you want to change as shown below:


Click "Advanced Setttings" and you will see the following dialog box:


Now, Identity is "NetworkService" already. Otherwise, select the "Identity" list item and click the ellipsis (the button with the three dots). The following dialog appears.


Select the Identity Type "NetworkService" from the combo box and press OK button. So, we finished marking sure that our web application that run using "NetworkService" Application Pool Identity.

2. Securing Resources
Whenever a new Application Pool is created, the IIS management process creates a security identifier (SID) that represents the name of the Application Pool itself. For example, if you create an Application Pool with the name "MyNewAppPool," a security identifier with the name "MyNewAppPool" is created in the Windows Security system. From this point on, resources can be secured by using this identity. However, the identity is not a real user account; it will not show up as a user in the Windows User Management Console.
Let's start giving permission to folder in remote server here.

1. Open Windows Explorer
2. Select a file or directory.
3. Right click the file and select "Properties"
4. Select the "Security" tab
5. Click the "Edit" and then "Add" button



6. Click "Locatoins" and make sure you select your domain and then enter the Network Service account.


The Network Service account's credentials are of the form DomainName\AspNetServer$, where DomainName is the domain of the ASP.NET server and AspNetServer is your Web server name.For example, if your ASP.NET application runs on a server named SVR1 in the domain CONTOSO, the Network Service account is CONTOSO\SVR1$.

7. Click the "Check Names" button and click "OK".
8. Set permission for new account as below:


By doing this, the file or directory you selected in file server will now allow the Network Service identity access from your web application.

Reference :

How To: Use the Network Service Account to Access Resources in ASP.NET
Application Pool Identities

No comments:

Post a Comment