Hello everyone who responded over the last couple of days regarding my IIS DC problems. I have found an acceptable
(but not optimal) answer, and uncovered some curious facts along the way. I’m
going to write down what I’ve found so far for my sanity and in case I
can help someone else in the future. I’m working on a Windows 2003
Advanced Server machine. It may drag on for a bit...
I should mention that during my testing I had to often reboot
the server, restart IIS and stop/start IE on the client and delete the IE
temporary files before my changes would take effect. If a change did nothing,
then I had to work back through these steps until either something changed or
it didn’t, in which case I presumed my change was ineffective.
The problem is simply running IIS ASP.NET on a Domain
Controller and giving it permission to run apps that can update files. Q315158
and article titled ‘Running ASP.NET on a Domain Controller’
describe how there is no local ASPNET account for the worker process. The steps
in these articles seem to be insufficient and not updated for 2003 Servers. The
default symptom you will get ‘Server Application Unavailable’
messages on browser clients.
[Note] Putting username="SYSTEM" in the machine.config does not seem to work as an overkill
solution.
After hours of experiments and using filemon
(a vital tool) to tell me which processes were failing on which folders and
files I have come to the following solution.
I created a domain user called ASPAPPS with a fixed
password and gave it the ‘Log on as a batch job’ right under Domain
Controller Security Policy.
I put username="MYDOMAIN\ASPAPPS" and password="foobar" in machine.config.
The user ASPAPPS was added to the IIS_WPG group. This is
weird, but I found that NETWORK SERVICE was trying to write to my data files
when the app was running. I decided this was a convenient way of grouping the
related system users and my new user together.
I gave the IIS_WPG group modify permissions to these
folders:
C:\webs\myapp <--
this is my folder
C:\WINNT\TEMP
C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Temporary
ASP.NET Files
C:\Document and Settings\LocalService\Local
Settings\Application Data
That last curious folder was found to be necessary via filemon. It is not mentioned in any of the documentation.
So finally, this combination of steps allowed my app to
run normally. I have a feeling that my solution is not optimal, especially
adding my user to the IIS_WPG group. And I have of course created a user that
applies to all ASP.NET apps, for my needs I did not need to create different
sets of permissions for different ASP.NET apps. I will leave that as an
exercise for the student ;-)
Cheers,
Greg Keogh
Ps. I will have to repeat
these steps next weekend for Win2K Advanced Server, so I will report if I find
any startling differences in the solution.
