Reputation: 21
Spoof IIS Express App Pool Identity for Integrated Security
In order to keep application secrets out of source code I want to use Integrated Security to connect my ASP.NET MVC application to SQL Server. However, IIS Express uses my development machine's account as the Identity for Integrated Security, which has different permissions from the AppPoolIdentity on production. I want to connect to SQL server using the same permissions in development as in production, which seems like something that should be easy to do, but I have had no luck.
Apparently it is impossible to set the Identity used by IIS Express except using "runas" which I could not get to work: how to run iisexpress app pool under a different identity
Things I've tried:
IIS Express
- Create a User in "Edit local users and groups" and add it to "IIS_IUSRS" group.
- Create AppPool in IIS Express manager (Jexus manager)
- Setting AppPool > ProcessModel > Identity to newly created User, which fails.
- (However setting AppPool Identity works in IIS Manager (not express))
- Create site and configure path and ApplicationPool
- Application successfully launches through Jexus manager, however still using my Windows account like it does launching from Visual Studio
IIS
- Create app pool and log in as newly created user (succeeds unlike Jexus manager)
- Create and configure site to use https and IIS Express development cert
- Get 500 error when trying to launch the same way as with Jexus manager
- I would rather launch the app from Visual Studio anyway
Impersonation
- Requires credentials in
web.configdefeating the purpose of Integrated Security
- Requires credentials in
It's important we manage secrets internally so Azure Key vault or other similar 3rd-party solutions are off the table.
It's beginning to seem impossible to configure IIS Express AppPools to use an Identity other than the currently logged in user: Link1 and Link2. The second link describes a method using "runas" from cmd as Admin but using System.Security.Principal.WindowsIdentity.GetCurrent().Name to check the ApplicationPool identity still shows my logged in Identity, not the one I used in the "runas" command.
What are my options? I would like to use Integrated Security for both dev and prod, with the same permissions on each. Is this possible? Is there an equivalent workaround?
Upvotes: 1
Views: 647
Answers (0)
Related Questions
- how to run iisexpress app pool under a different identity
- Application pool identity or Impersonation
- IISExpress AppPool identity verification
- ASP.NET - Using impersonation but connecting to SQL Server using AppPoolIdentity
- IIS with a Web Application using Windows Authentication with Impersonation
- Configuring Integrated Security using IIS Application Pool Identity accounts for SQL Server 2008
- IIS Express - temporarily impersonate the authenticated user
- Configure IIS to impersonate a user for SQL Integrated Authentication
- IIS Express - Impersonate a windows account
- Configuring ASP.NET MVC app's IIS 7.5 Application Pool identity as login on SQL Server 2008 R2