Setting up an ASP.NET Service Account with Least-Privilege Permissions

I find myself rediscovering how to do this a lot, so I thought I’d post this here.

  1. Create your Account (let’s say it’s\sa_MyMVCHostingUser in your company’s Active Directory server – it can also be a local Windows account as well)
  2. Open up an elevated command prompt (Start -> “command” -> [CTRL]+[SHIFT]+[ENTER])
  3. Navigate to your .NET Framework directory (such as C:\Windows\Microsoft.NET\Framework\v4.0.30319)
  4. execute: aspnet_regiis -ga\sa_MyMVCHostingUser

After performing the above steps, your account will have the basic permissions to host a basic ASP.NET application. If you are accessing resources other than the IIS Metabase or content files in your IIS Application, then those permission configurations are beyond the scope of this post (and you would NOT set them up in a similar way, so don’t try).

Rendering a Custom ASP.NET Control when Disabled by Parent Container

So I was performing some maintenance work on some webform stuff in an application and ran into a problem where an existing custom control, which I have the source for so I can fix it (yay!), wasn’t properly disabling itself when it was in a container that became disabled. The way it works, it overrides the rendering process and spits out lots of HTML and javascript (eww!) but for the important things for this rendering, it looks at a custom “ReadOnly” property on the control to enable/disable the appropriate things. So essentially the control is always enabled except when that flag is set to false – a bad idea!


How to identify the user your ASP.NET app uses to authenticate as

I was recently asked how to identify the user your ASP.NET application uses to authenticate as. This can be a simple question or a bit more involved. Let’s start with the simple answers first.

Default Accounts:
Windows XP, Windows 2000, and earlier (you should NOT be caring about earlier!):
ASPNET – this is created automatically by the .NET Framework

Windows Vista, Windows 2003, and newer:

Overridden Examples:
Just because that is the default, it doesn’t mean that it is that way for your application. The first place to check is in the Advanced Settings for your Application Pool. This should tell you the account your application will default to if you don’t override it within your application.

Next, you can check your web.config to see if you’re application is impersonating a user. This is the next level of defaults to check. (and perhaps machine.config too, but you should probably NOT be overriding it there!) This will override the above defaults.

Now that you have checked there, the next thing to do is identify what type of IIS Authentication is being used. If anonymous, then you’re done – it will default to the above defaults in that overriding order. If you’re using ASP.NET impersonation, then that should default to the above as well. If you’re using Basic, Digest, Forms, or Windows authentication, then the authentication will be based on the user that the end-user logs in as.

Things can get even trickier if you do things in code, but generally this will figure it out for you.


Debugging Visual Studio 2005 ASP.NET apps on Vista Home Premium

If you have an ASP.NET app hosted by IIS7 on any Vista Home edition (though I’ve only used Home Premium), it fails because Vista Home Premium lacks Windows Authentication. Fortunately, Microsoft is aware of this and has issued a fix. Unfortunately, it’s not part of Windows Updates so you’ll have to go get it yourself.

You can find KB937523 here describing the situation:;EN-US;937523

The fix can be found here:

Jaxidian Update is proudly powered by WordPress and themed by Mukkamu