Net Data Design, LLC Blog

There have been many questions on how to install and configure DotNetNuke on IIS 7.5 which ships in Windows 7 and Windows 2008 R2. I will outline the procedure I use to do so. For this example I will be using Windows 2008 R2 64-bit.

When you first login to 2008 R2 you will be greeted with the Server Manager.

After you expand the Roles node and the Web Server node in the left pane you will be in the main IIS Manager.

Right Click on the “Sites” folder and select “Add Web Site.”

In the next screen we enter the web sites specifics. Fill in the highlighted areas with your information. Note that as you enter your site name an new Application Pool is created.

During the above process you will create a new directory to which you will deploy your DNN code.

After this is complete, select Application Pools from the IIS Manager node. The detailed view should indicate that the AppPool is in Integrated Pipeline mode.

If you have not already done so, copy your DNN files to your website directory. In IIS Manager right click your new website and:

1. Select “Edit Permissions.”
2. Select the “Security” tab.
3. Click the “Edit” and then “Add” button
4. Click the “Locations” button and make sure you select your machine.
5. Enter “IIS AppPool\<YourAppPoolName>” in the “Enter the object names to select:” text box.
6. Click the “Check Names” button and click “OK”.
7. Grant <YourAppPoolName> modify permissions on the directory.

At this point you are ready to edit your web.config for your database connection., and get started.

If you have any questions on the Application pool details, I have covered this in an earlier Blog, you can read that here.

Not all that long ago I used SmarterTrack by SmarterTools for our Help Desk and it fit the bill fairly well. It is full feature offering multi-channel communications portal with features like a Ticket system, Live Chat, WhosOn, branding and language support, cost analysis, data mining, reporting, surveys, and a Knowledge Base. The problem was it didn’t offer an type of billing capability or a Web Service capable to accommodate billing.

This is still a short coming and was the reason I moved to vTiger. I have blogged in the past about vTiger and sung its praises. It does a lot of things fairly well, but the support system was a little lacking as far as functionality. Some of the items that I really missed in the vTiger support were things like branding, ticket distribution, Live Chat, reporting and cost analysis.

Branding plays an important role for us as we can deliver Knowledge Base (KB) articles and news items to a targeted audience. The keeps the web interface to a minimum for clients and the content they have access to is relevant. Branding also provides the flexibility to share resources and agents for outstanding efficiency and offer opportunities to increase sales.

I’ll get into the more technical aspect of SmarterTrack in my next blog, but in the mean time, if you’re looking for a powerful, full featured Help Desk, SmarterTools has the answer for you, in three different editions starting for a little as FREE. They also offer a hosted version too. Have a look at the detailed Pricing and Editions.

Here are some sample UI’s:

So, what do I mean by new look? Well, the powers-that-be have moved DotNetNuke (DNN) to an open repository. Since it’s inception from the iBuySpy days the repository has been closed.  I should note that the project has always released a “source” version of the application to the public, and for the first few years this system worked for a majority of the DNN community.

Times change however, and DotNetNuke Corporation is adapting to these changes. For instance the Issue Tracking has been reworked, and the new “Just like Clockwork” release dates. The later replacing the “When it’s Ready” policy. I was never a big fan of this policy but I do understand that a project that relied on a largely volunteer staff, this was a best fit model for DNN. Again, times change.

A few personal observations from someone (me) who has used, developed to and profited from DNN since version 1.5, the iBuySpy fork:

1. I have noticed that the quality of releases since DNN incorporated has risen greatly. There seems to be more attention paid to details and the QA/Testing group appears to have things well in hand.
2. The security of a DNN build has always been handled well, but the newer releases have been outstanding with no critical issues in well over a year. Kudos go to Cathal Connolly for an outstanding effort.

If you haven’t installed and tested this rich development platform, or perhaps you have in the past and lost favor; you need to check-it out. You’ll find a robust community and user-groups world-wide. Give it a shot.

Windows 7 and Windows Server 2008 R2 ship with IIS 7.5. It’s called Application Pool Identities. Application Pool Identities allows you to run Application Pools under an unique account without having to create and manage domain or local accounts. The name of the Application Pool account corresponds to the name of the Application Pool. The image below shows an IIS worker process (w3wp.exe) running as the DefaultAppPool identity.

Application Pool Identity Accounts

Worker processes in IIS 6 and 7 run as NETWORKSERVICE by default. NETWORKSERVICE is a built-in Windows identity. It doesn’t require a password and it has only user privileges, i.e. it is relatively low-privileged. Running as a low-privileged account is a good security practice because then a software bug can’t be used by a malicious user to take over the whole system.

The problem is however that over time more and more Windows system services started to run as NETWORKSERVICE and services running as NETWORKSERVICE can tamper with other services running under the same identity. Because IIS worker processes run third-party code by default (Classic ASP, ASP.NET, PHP code) it was time to isolate IIS worker processes from other Windows system services and run IIS worker processes under unique identities. The Windows operating system provides a feature called “Virtual Accounts” that allows IIS to create unique identities for each of its Application Pools. Click here for more information about Virtual Accounts.

Configuring IIS Application Pool Identities

If you are running IIS 7.5 on Windows Server 2008 R2 you don’t have to do anything. For every Application Pool you create the IIS Admin Process (WAS) will create a virtual account with the name of the new Application Pool and run the Application Pool’s worker processes under this account.

If you are running Windows Server 2008 you have to change the IdentityType property of the Application Pool you created to “AppPoolIdentity”. Here is how:

• Open the IIS Management Console (INETMGR.MSC).
• Open the Application Pools node underneath the machine node. Select the Application Pool you want to change to run under an automatically generated Application Pool Identity.
• Right click the Application Pool and select “Advanced Settings…”

• Select the “Identity” list item and click the button with the three dots.
• The following dialog appears.

• Select the Identity Type “ApplicationPoolIdentity” from the combo box

To do the same step via command-line you can simply call the appcmd command-line tool the following way:

%windir%\system32\inetsrv\appcmd.exe set AppPool <your AppPool> -processModel.identityType:ApplicationPoolIdentity

Securing Resources

Whenever a new Application Pool is created the IIS management process creates a security identifier (SID) representing the name of the Application Pool itself, i.e. if you create an Application Pool with the name “MyNewAppPool” a security identifier with the name “MyNewAppPool” is created in the Windows Security system. From this point on resources can be secured using this identity. The identity is not a real user account however, i.e. it will not show up as a user in the Windows User Management Console.

You can try this by selecting a file in Windows Explorer and adding the “DefaultAppPool” identity to its Access Control List (ACL).

1. Open Windows Explorer
2. Select a file or directory.
3. Right click the file and select “Properties”
4. Select the “Security” tab
5. Click the “Edit” and then “Add” button
6. Click the “Locations” button and make sure you select your machine.
7. Enter “IIS AppPool\DefaultAppPool” in the “Enter the object names to select:” text box.
8. Click the “Check Names” button and click “OK”.

By doing this the file or directory you selected will now also allow the “DefaultAppPool” identity access.

You can do this via the command-line using the ICACLS tool. The following example gives full access to the DefaultAppPool identity.

ICACLS test.txt /grant “IIS AppPool\DefaultAppPool”:F

On Windows 7 and Windows Server 2008 R2 the default is to run Application Pools as this security identifier, i.e. as the Application Pool Identity. To make this happen a new identity type with the name “AppPoolIdentity” was introduced. If the “AppPoolIdentity” identity type is selected (default on Windows 7 and Windows Server 2008 R2) IIS will run worker processes as the Application Pool identity. With every other identity type the security identifier will only be injected into the access token of the process. If the identifier is injected content can still be ACLed for the AppPool identity but the owner of the token is probably not unique. Here  is an article that explains this concept.

Accessing the Network

Using the NETWORKSERVICE account in a domain environment has a great benefit. Worker process running as NETWORKSERVICE access the network as the machine account. Machine accounts are generated when a machine is joined to a domain. They look like this:

<domainname>\<machinename>$,

for example:

mydomain\machine1$

The nice thing about this is that network resources like file shares or SQL Server databases can be ACLed to allow access for this machine account.

What about AppPool identities?

The good news is that Application Pool identities also use the machine account to access network resources. No changes are required.

Note:

This article http://learn.iis.net/page.aspx/246/using-fastcgi-to-host-php-applications-on-iis-70/ walks you through the process. This article was written for IIS 7, but will apply to IIS 7.5 as well.

In addition, if your server is 64 bit, you should set ‘enable 32 bit applications‘ to true in your application pools settings.