I have recently moved our company's intranet website from a Windows 2000 server to a Windows 2003 server. Previously, we had setup the permissions so that the IWAM_<MachineName> account could access files in a share on another server. Now that I have moved to W2K3, I am not sure what I need to do to establish the same functionality as the IWAM_ account does not exist.
Can anyone provide me with some good information on this topic or point me to some good resources?
"Tyler" wrote: > I have recently moved our company's intranet website from a Windows 2000 > server to a Windows 2003 server. Previously, we had setup the permissions > so that the IWAM_<MachineName> account could access files in a share on > another server. Now that I have moved to W2K3, I am not sure what I need to > do to establish the same functionality as the IWAM_ account does not exist.
> Can anyone provide me with some good information on this topic or point me > to some good resources?
You can add IWAM_machinename this way. Right click on the folder you want to give these permissions to and go to the "Security" (or Permissions?) tab just like you did in IIS5. Click the button to add a user. You won't see IWAM_machinename in your list of users but you can still add it by typing it in the box and it will understand and add it for you.
> I have recently moved our company's intranet website from a Windows 2000 > server to a Windows 2003 server. Previously, we had setup the permissions > so that the IWAM_<MachineName> account could access files in a share on > another server. Now that I have moved to W2K3, I am not sure what I need to > do to establish the same functionality as the IWAM_ account does not exist.
> Can anyone provide me with some good information on this topic or point me > to some good resources?
If you can see the Application Pool folder in the Win2K3 IIS6 mmc, then it means your IIS6 are running in worker process isolation mode. In this case, NETWORK SERVICE is the default process identity which replaces IWAM. So you'd grant NETWORK SERVICE accont with the proper permission other than IWAM.
If there isn't the Application Pool folder, IIS6 is running in IIS5.0 isolation mode, which still works with IWAM and dllhost. You can grant IWAM with the permission like before.
Best regards,
WenJun Zhang Microsoft Online Support This posting is provided "AS IS" with no warranties, and confers no rights. Get Secure! - www.microsoft.com/security
I can see the Application Pool folder, so my site is running in 'worker process isolation mode'.
I know that I need to grant the NETWORK SERVICE account on the web server access to the share on the other server, but my question is how do I do this when each machine has a NETWORK SERVICE account and neither NETWORK SERVICE account is a domain account? Am I missing something obvious here?
For example, when I am modifying share permissions and browse to select the accounts to provide access, I cannot specify the web server's NETWORK SERVICE account. As well, on my other server, I assume I must specify that the web server's NETWORK SERVICE can 'Access this computer from the network' - I cannot figure out how to do that either.
Your assistance is greatly appreciated,
Thanks, Tyler
""WenJun Zhang[msft]"" <v-wzh...@online.microsoft.com> wrote in message
> If you can see the Application Pool folder in the Win2K3 IIS6 mmc, > then it means your IIS6 are running in worker process isolation mode. > In this case, NETWORK SERVICE is the default process identity which > replaces IWAM. So you'd grant NETWORK SERVICE accont with the proper > permission other than IWAM.
> If there isn't the Application Pool folder, IIS6 is running in IIS5.0 > isolation mode, which still works with IWAM and dllhost. You can > grant IWAM with the permission like before.
> Best regards,
> WenJun Zhang > Microsoft Online Support > This posting is provided "AS IS" with no warranties, and confers no > rights. > Get Secure! - www.microsoft.com/security
You can create a new domain account and set it as this application pools's identity. Then grant this domain account with appropriate permission on the remote share. If the boxes are not in a domain enviornment, you'd create two local accounts on each machine with the same username and password.
To make the new account has proper permission to act as an IIS AppPool ID, please add it to IIS_WPG group and refer to the following article to grant it with additional group policy permissions which NETWORK SERVICE has:
Also, please note when you set the account in Application Pool's properties, you must type the account's password twice. The UI will not auto verify the password and if it's incorrect, you will get Service Unavailable error everywhere.
Please feel free to let me know if you meet any problem. Best regards,
WenJun Zhang Microsoft Online Support This posting is provided "AS IS" with no warranties, and confers no rights. Get Secure! - www.microsoft.com/security
WenJun Zhang Microsoft Online Support This posting is provided "AS IS" with no warranties, and confers no rights. Get Secure! - www.microsoft.com/security
I have the same problem after upgrading to IIS6. I don't see application pool in IIS manager. How can I reconfigure isolation mode for IIS6 in order to use application pool?
> If you can see the Application Pool folder in the Win2K3 IIS6 mmc, > then it means your IIS6 are running in worker process isolation mode. > In this case, NETWORK SERVICE is the default process identity which > replaces IWAM. So you'd grant NETWORK SERVICE accont with the proper > permission other than IWAM.
> If there isn't the Application Pool folder, IIS6 is running in IIS5.0 > isolation mode, which still works with IWAM and dllhost. You can > grant IWAM with the permission like before.
> Best regards,
> WenJun Zhang > Microsoft Online Support > This posting is provided "AS IS" with no warranties, and confers no > rights. > Get Secure! - www.microsoft.com/security
|
