5

Is there any way to get IIS7 on a non-domain computer (a Windows 7 development VM in this instance) to use a domain account for an AppPool identity? I can input the credentials (domain/username, etc.) but then the AppPool throws an error about the account not having "batch logon rights".

I cannot find anything via Google to help me figure this one out, so I am thinking it might not be possible.

sliderhouserules
  • 273
  • 3
  • 7

2 Answers2

2

This appears to me to be a near impossibility. "Joining a domain" creates a trust based relationship between the computer (object) and the domain (services).

For instance, the easiest way to adjust rights of a user is to utilize the Local Security Policy (security settings/local policies mmc snapin).

But you can use ntrights.exe. I have a single domain here, but testing a similar situation is easy:

I'm on COMPUTERA. I created an account dummyuser on COMPUTERB (aka the user is computerb\dummyuser)

When I run:

NTRIGHTS +r SeBatchLogonRight -u computerb\dummyuser

I receive an error:

Granting SeBatchLogonRight to computerb\dummyuser ... failed (GetAccountSid(computerb\dummyuser)=1332

C:\>net helpmsg 1332 returns: No mapping between account names and security IDs was done.

This is pretty simple. Even running as a user who is a domain admin (hence, this user is inherently part of the local Administrators group on computerb), the credential for which I am performing the operation will not pass.

A good way to test this is simple... on your VM run:

runas /user:domain\administrativeuser cmd.exe

I would expect this to fail with 1326: Logon failure: unknown user name or bad password, since the local machine doesn't know what domain is, and/so it definitely isn't trustworthy.

What this all really means is, regardless of if you get the entry in there or not, the local computer does not and will not know who the user is when it attempts any operation, unless it can authenticate that user against a database for which is is part (your domain's AD).

I'd like to see if anyone else has a solution though.

brandeded
  • 1,845
  • 8
  • 32
  • 50
  • 2
    Actually, using `runas /netonly ...` I can run programs as a domain user on a non-domain computer. It shows a command prompt asking me for the domain user's password, and once I enter the password it launches the program. That's why I thought this would be possible with IIS. – sliderhouserules Oct 31 '11 at 22:40
  • 2
    @sliderhouserules `/netonly` works because it's actually leveraging the local `guest` user. Since IIS App Pool requires a real user with specific privs, guest simply won't work. The only way I've found to do what you're doing is to create a local user with an identical name and password to the domain-user, and hope it works. – sysadmin1138 Nov 01 '11 at 11:34
  • Even then, the SID is different, and the SID is the entry that is found in the local policy. Windows is quirky though, so it's worth a try. Also, on a dev box, I always change the [CachedLogonsCount](http://mbrownnyc.wordpress.com/2011/10/11/keep-you-sam-under-control/) to 1, and in this scenario, it should afford you some level of protection from the hackery of the dev (I assume you want to maintain a high level of a security, or you'd just add the VM to the domain, so that you can better manage it). – brandeded Nov 01 '11 at 12:31
  • I am the dev... the VM is a work-around for the VPN not allowing split tunneling. I RDP into my laptop, and if I connect the VM to the VPN then it doesn't disallow the RDP connection. – sliderhouserules Nov 01 '11 at 17:01
  • What is your question? This information doesn't provide us with any info as to what the problem is. But taking a larger step back, what are you trying to solve? – brandeded Nov 01 '11 at 18:29
  • My question is simply what I put above, and it doesn't seem possible. The larger issue is that the Cisco VPN on my work laptop doesn't allow split tunneling, which prevents me from RDP'ing into the laptop when working from home (RDP allows me to use my nice setup, dual monitors, etc.). Using a VM to connect to the VPN was a nice workaround, but since the VM isn't on the domain, IIS apps can't connect to the dev database server because SQL authentication is not allowed by policy. Thanks for the help. – sliderhouserules Nov 01 '11 at 18:39
  • Split tunneling via the Cisco VPN client should be a client side config. If your VPN doesn't allow a split-tunnel, you're saying it's piping all your traffic through the VPN? You can adjust where your packets go by adjusting your routes on your box. Take a look at the output of `netstat -ar` before and after you connect with the VPN client. Your default route (`0.0.0.0`) is likely the Cisco VPN's interface address & the gateway of the hop into your work's network. Delete this route and add back your local interface & gateway. Also [EnableLocalLAN in the pcf](http://goo.gl/qG9ng). – brandeded Nov 03 '11 at 19:44
2

Why do you need to use a domain user as the App Pool ID, then?

You could create a mirrored local user account and use it, and if it ever needed to get off-box with credentials, it could use them...

But there are other key features of being a domain user that this will fail to capture.

I can't think of a good use case for this; why not just join the VM to the domain?

TristanK
  • 9,073
  • 2
  • 28
  • 39
  • I need a domain user for the AppPool because SQL requires Windows Authentication. I'm using the VM as a work-around for the VPN not allowing split tunneling. Joining the VM to the domain would involve IT and I was looking for a solution before I resorted to that. – sliderhouserules Nov 01 '11 at 16:59
  • Yeah, for that to simulate the actual domain experience, you'll need to use a domain user. The mirrored user would have no relationship to the domain controllers at all (that's a machine-level thing). – TristanK Nov 01 '11 at 20:52