|
|
This How To describes how to create a least privileged local account to run the ASP.NET worker process (aspnet_wp.exe) or for impersonated identities in virtual directories. Although the procedures in this How To create a local account, the same concepts apply to a domain account.
The default account for running ASP.NET, created at installation time, is a least privileged local account and is specified in machine.config as follows:
<processModel enable="true" userName="machine" password="AutoGenerate" />
This account is identified as ASPNET under Local Users and Groups, and has a strong password secured in the Local System Authority (LSA).
When you need to access network resources, such as a database, using the ASP.NET process identity, you can do one of the following:
Use a domain account.
Use “mirrored” local accounts (that is, accounts with matching usernames and passwords on two computers). You need to use this approach when the computers are in separate domains with no trust relationship or when the computers are separated by a firewall and you cannot open the ports required for NTLM or Kerberos authentication.
The simplest approach is to change the ASPNET account’s password to a known value on the Web server and then create an account named ASPNET with the same password on the target computer. On the Web server, you must first change the ASPNET account password in Local Users and Groups and then replace the credentials on the <processModel> element in machine.config. You should not store encrypted passwords in the registry. For more details, see Chapter 8, “ASP.NET Security.”
<processModel enable="true"
userName="registry:HKLM\SOFTWARE\YourSecureApp\processModel\
ASPNET_SETREG,userName"
password="registry:HKLM\SOFTWARE\YourSecureApp\processModel\
ASPNET_SETREG,password" . . ./>
You can use the steps presented in this How To to create a least privileged local account.
|
|