We recently upgraded our infrastructure to include two load-balanced web servers to run the ConceptShare application; and another server for file storage of concepts, user images, and account images. After experimenting with various combinations of permissions and configuration options, I looked back and saw that it wasn’t a straightforward process. Here is a summary of what is required, so that you can get started quickly.

First, you should know a little about how the .NET framework runs on IIS. In our case, we are running IIS6, which means it is running under the “Network Service” identity by default. This runs in its own environment with its own desktop and user settings. Mapped drives are held at the user level, so direct mapping of virtual drives to mapped drives is out.

For simplicity’s sake, we decided to use a new account to give some separation and prevent any excess permissions being granted. You could technically use a “shotgun” approach: set the Administrator password on all servers to the same and use it to configure your IIS. But that is a huge potential security issue and we take security very seriously. Here is a basically run down on what you need to do:

1. 1. Create a limited permissions account with the same username and password across all servers. Suppose we call this account “IIS_ASP_NETWORK”.
   2. To be useable as a process in IIS the account requires setting a few security permissions. But it’s much easier just to add your newly created account to the IIS_WPG security group, which will give it all the appropriate rights.
   3. On the storage server give full permissions to the folders you are going to expose as virtual folders in IIS. We do both writing and reading, if you are just serving content you can go with just read.
   4. On each web server create a new application pool and set the process identity to your newly created account. This will make .NET run under that account, unless impersonation is used.
   5. Set the website to use the new application pool that you just configured.
   6. Create your virtual directory using the full UNC path to the folder in question (i.e. \\SERVERNAME\SHARENAME). Be sure to provide the same credentials that you use for the new account.

That should have you up and running with a virtual directory hosted on a network resource. We never tried to run the entire site as a network resource, only the images, so I can’t comment on the stability of running an entire site off a network resource. If you need to do some debugging you can throw up an ASPX page with Trace=”True” in the page tag and it will let you know which process it is running under. Also, ProcessMonitor from SysInternals will help you diagnose any permission issues.

If you enjoyed this post, make sure you subscribe to our web feed!

Categories: Development, Technology ~ ~ Trackback