Thursday, May 06, 2004

Things I've learned about ASPNET (the local user account for ASP.NET)

Well, I have been trying to trackdown an incredibly irritating issue with my ASP.NET v1.1 code not running on one of our w2k (windows 2000) servers. I think the root cause of it all has to deal with the fact that this box runs OWA (Outlook Web Access) and OWA doesn't play well will other. So here is the run down. In the machine.config , node processmodel where use name says "machine" it is using the ASPNET local user. For the most part this user has access to everything it needs because it is in the Group user. (I know a user in the user group... a little redundant). However there are some instances, depending on patches and services packs where this user doesn't get the correct NT users permissions. This table from Microsoft really helped.

Table 1. Required NTFS permissions

FolderRequired PermissionAccountComments
Temporary ASP.NET Files
Full ControlProcess and fixed impersonation accountsThis is the ASP.NET dynamic compilation location. Application code is generated in a discrete directory for each application beneath this folder.
The tempdir attribute on the <compilation> element can be used to change this default location.
C:\WINNT\tempRead/Write/DeleteProcessLocation used by Web services to generate serialization proxies.
Note that the Delete permission is set using the Advanced button on the Security page of the Windows Explorer folder properties dialog box.
Application folderReadProcessThe location of your Web application files (that is, your application's virtual root directory: for example, c:\inetpub\wwwroot\webapp1).
By default, the Users group has the appropriate access rights.
%installroot% hierarchy
ReadProcess and fixed impersonation accountsASP.NET must be able to access .NET Framework assemblies.
By default, the Users group has the appropriate access rights.
C:\WINNT\assemblyReadProcess and fixed impersonation accountsThis is the global assembly cache. You cannot directly use Windows Explorer to edit ACLs for this folder. Instead, use a command Windows and run the following command:
cacls %windir%\assembly /e /t /p domain\useraccount:R
Alternatively, prior to using Windows explorer, unregister shfusion.dll with the following command:
regsvr32–u shfusion.dll
After setting permissions with Windows explorer, re-register shfusion.dll with the following command:
regsvr32 shfusion.dll
Web site root:
wwwroot or the path that the
default Web site points to
ReadProcessASP.NET reads configuration files and monitors for file changes in this folder.
C:\WINNT\system32ReadProcessFor system DLLs loaded by the Framework.
Parent directories of contextList Folder/ ReadProcessFor file change notifications and the C# compiler.

No comments: