Remote Management Behavior Matrix

Posted: Apr 23, 2007  2 comments  

Average Rating

Share this Post

Introduction

Have you tried to use the IIS7 UI for remote administration? There is a matrix of scenarios remote administration caters to. Read on to see how powerful and rich this story in IIS7 is...

I find this remote management behavior matrix to be very useful to get the different remote administration scenarios to work and also to help diagnose 401's. Knowing what identity does what in each scope (server, site, application) helps me ensure the correct set of acls needed at different paths; instead of "give full control everywhere and make it work".

Prerequisites

A pre-requisite for remote management via the IIS7 UI is to start the remote administration service (wmsvc) on the server machine. The configuration of wmsvc deserves another blog which I will post soon.

Getting Started

General rules of thumb (valid for every item in the matrix below):

  Redirection.config, applicationHost.config and administration.config are always read (even when you connect to site and app)

  Redirection.config is always read using the identity in which the service wmsvc runs (by default: NT Service\WMSVC)

  If (configurationRedirection is enabled in Redirection.config)

o    Server Config files (applicationHost.config, administration.config) are always read using the username and password specified in redirection.config

Else // configurationRedirection is disabled

o    Server Config files (applicationHost.config, administration.config) are always read using the identity in which wmsvc runs (NT Service\WMSVC by default)

  UI does nothing special when trying to read Root web.config (asp.net counterpart of applicationHost.config)

 

Now let's get to the matrix for other specifics:

 

 

Connect as:

Windows Administrator

Windows User

IIS Manager User

Out of the box experience

Server connection:

-      UI impersonates as the windows admin when writing to the server config files ( applicationHost.config, administration.config and root web.config)

 

Site connection:

-      UI impersonates as the windows admin when reading from and writing to the site's web.config

 

App connection:

-      same as the site connection

Server connection: N/A

 

Site connection:

-      UI impersonates as the windows user when reading from and writing to the site's web.config

 

App connection:

-      same as the site connection

 

Server connection: N/A

 

Site connection:

-      Site's web.config file is read from and written to using the identity in which wmsvc runs (NT Service\WMSVC)

 

App connection:

-      same as the site connection

 

Site or app on UNC

Server connection:

-      UI impersonates as the windows admin when writing to the server config files( applicationHost.config, administration.config and root web.config)

 

Site connection:

-      If unc credentials are specified for the unc share, UI will read the site's web.config file using those unc credentials and write as windows administrator

-      If unc credentials are not specified for the unc share, UI will read from and write to the site's web.config file as windows administrator

 

App connection:

-          same as the site connection

Server connection: N/A

 

Site connection:

-          If unc credentials are specified for the unc share, UI will read the site's web.config file using those unc credentials and write as windows user

-          If unc credentials are not specified for the unc share, UI will read from and write to the site's web.config file as windows user

 

App connection:

-          same as the site connection

Server connection: N/A

 

Site connection:

-          If unc credentials are specified for the unc share, UI will read the site's web.config file using those unc credentials and write using the identity in which wmsvc runs (NT Service\WMSVC)

-          If unc credentials are not specified for the unc share, UI will read from and write to site's web.config using the identity in which wmsvc runs (NT Service\WMSVC)

*( see note below)

 

App connection:

-          same as the site connection

*( see note below)

Configuration Redirection is enabled in Redirection.Config

 

 

Config files:

applicationHost.config administration.config

Server connection:

-          Server files are read using the username and password specified in redirection.config

-          UI impersonates as the windows admin when writing to the server config files( applicationHost.config, administration.config and root web.config)

 

Site connection:

-          UI impersonates as the windows admin when reading from and writing to the site's web.config

 

App connection:

-          same as the site connection

Server connection: N/A

 

Site connection:

-          UI impersonates as the windows user when reading from and writing to the site's web.config

 

App connection:

-          same as the site connection

Server connection: N/A

 

Site connection:

-          Site's Config is read from and written to as the identity in which wmsvc runs (NT Service\WMSVC)

 

App connection:

-          same as the site connection

 

   

*NOTE: If NT Service\WMSVC does not have permissions to the UNC share (which will be the case for unc shares on another machine, wmsvc means nothing outside the realm of a local machine), update the identity of Web Management Service (services.msc) to be a domain user that has access to the server as well as the unc share.

Recommendation: do *not* use Network Service identity – it is a possible security risk since that's the identity asp.net apps run under. With acls to this account, you have just opened your content/configuration up for anyone to access via an aspx page (ouch!)

  

Comments

great post!  welcome to blogosphere!

Apr 24 2007 by bills