20

I have a administrative account on my machine, but due to security reasons, I don't want to run visual studio as administrator. I have ASP.NET website, windows 10, IIS8. Is there is any way way to debug website without run pool with my credentials, or run visual studio as admin, or any other method, with insufficient privileges? I wanna tune my windows to allow me debug my application, and don't use brute force like "run as admin".

For winXP exists a this article this

Georgy Grigoryev
  • 822
  • 2
  • 8
  • 26
  • 1
    This is exactly the reason IISExpress was introduced. Just use that. – LDJ Jan 07 '16 at 13:45
  • 2
    IISExpress is not a full version of IIS. For me it's more reliable use normal IIS, and find workaround to debug, than just start use IISExpress. – Georgy Grigoryev Jan 07 '16 at 13:50
  • 2
    it's also important to be able to debug the full IIS version because you may need to test/investigate configuration transforms, which (as far as I understand) isn't possible when running a website "in place" – drzaus May 08 '18 at 14:32

2 Answers2

25

As per https://msdn.microsoft.com/en-us/library/kd3se23d.aspx:

if you change the ASP.NET worker process to run under your own user account, you do not have to be an Administrator on the server that is running IIS.

Jaime Hablutzel
  • 6,117
  • 5
  • 40
  • 57
Boklucius
  • 1,896
  • 17
  • 19
  • 4
    This should be marked as the answer. The other two are not accurate. But also, as the first comment states, this is why IIS Express exists (so you don't have to hack everything to make it work with a normal user context). – Adam Plocher Aug 02 '17 at 11:20
  • 2
    Though this might work without administrator permission, it is not considered as debugging best practice. Web apps should be developed on IIS and use the same settings as the final production environment to eliminate differences that can lead to bugs. As you are not supposed to run the app under a normal user account in production, you should also not run it that way on development machine. IIS Express should also be used in limited scenarios. – Lex Li Aug 02 '17 at 12:25
  • 4
    @Lex, running VS as an admin when the rest of the account isn't is also not best practice, I'd argue. – Craig Brett Dec 11 '17 at 08:52
  • @LexLi I _completely_ disagree. Merely having Visual Studio means your environment is already unlike production. Running Visual Studio as administrator is a much worse idea than configuring local IIS to require fewer privileges. A production deployment should also not be using administrator accounts, for that matter. – Ben Collins May 31 '18 at 23:01
  • @BenCollins can you prove your statement of "Visual Studio means your environment is already unlike production". That's completely non-sense in its current form. "A production deployment should also not be using administrator accounts" is also ambiguous. Without some administrator permission, a web app won't be hosted on IIS. (Otherwise, how come IIS configuration to be changed.) – Lex Li Jul 04 '18 at 02:46
  • 2
    @LexLi production system generally do not (and should not) have Visual Studio deployed. Also, production IIS deployments should be configured such that app pools use the least required privileges, and it would be unusual that a web app would actually require an app pool with administrative permissions to function properly. If you've learned from some source that running VS as admin is a "best practice", I'd find another source for learning best practices. – Ben Collins Jul 04 '18 at 20:34
  • 2
    I've tried this solution, configured the pool to run under my credential (windows 10) but it seems that it is not working. The worker process seems to ignore that settings and run under standard IIS user (I've also made my user part of IIS_IUSRS group) – Alkampfer Jun 19 '19 at 09:58
  • 1
    After some tentative I was able to run worker process under my own account, still Visual Studio wants to be launched as Administrator, so actually, it seems that it is not possible at all to debug an IIS asp.NET process if your user is not an administrator of the machine – Alkampfer Jun 20 '19 at 10:53
  • Running the IIS process under your account by typing in the password in the IIS management console (I do not know of any other way to achieve that) is an even bigger security nightmare than running VS as Admin since one can extract the password with a view commands: https://www.sharepointdiary.com/2012/01/how-to-retrieve-iis-application-pool-password.html – rominator007 Feb 11 '22 at 08:33
3

I can't do it (as illustrated in my question).

Boklucius's citation is accurate, but I believe that article and the current update are misleading. I found that when running the app pool under my own credentials, I'm still unable to attach unless running Visual Studio as an admin. Lex Li observed that this was due to session isolation, and right now the evidence from my experimentation suggests he's right.

OutstandingBill
  • 2,614
  • 26
  • 38