Write files to network drive from IIS using Managed Service Account

3
votes

I have an ASP.NET MVC 5 app hosted in IIS 10 on Windows 2016. Our sys admins have created a Managed Service Account (MSA) that is tied to this server and has read/write permissions to a folder on the network. I need to write PDFs to that folder from the web application using the MSA.

Currently, I'm simply trying to write a simple text file to the folder:

System.IO.File.WriteAllText(@"\\SomeUncPath\Reports\test.txt", "sample text");

The above produces this error, which is to be expected,

System.UnauthorizedAccessException: Access to the path '\SomeUncPath\Reports\test.txt' is denied.

I followed this video: https://www.youtube.com/watch?v=lBv81lwZgIo to no avail. It just caused the site to generate a 503 error.

Is it possible to write the files using C# impersonation, such as described in this article? But how do you impersonate an MSA, which has a password set by the system?

I tried the following code using the SimpleImpersonation:

var cred = new UserCredentials("myDomain", "someMsa$", "");
Impersonation.RunAsUser(cred, LogonType.Batch, () =>
    {
        System.IO.File.WriteAllText(@"\\SomeUncPath\Reports", "sample text");
    }
);

The above throws this:

System.ArgumentException: Password cannot be empty or consist solely of whitespace characters. Parameter name: password

Update 1: The server is throwing the following error into the System log:

Application pool SomePool has been disabled. Windows Process Activation Service (WAS) encountered a failure when it started a worker process to serve the application pool.

And these two warnings:

Application pool SomePool has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.

and

The identity of application pool SomePool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.

I tried this and rebooted the server but the issue persists.

Update 2: If I give the app pool my credentials, the app loads without any issues. It's only on the MSA that it fails with the above error/warnings. What could be wrong with the MSA?

Update 3: The issue was how I was adding the MSA to the app pool. I needed to include my domain in the username: myDomain\someMsa$. Once I had that in, it worked like a charm!

1
c#asp.net-mvcpermissionsimpersonation
The error seems clear - you aren't giving SomePool the correct password for the MSA.NetMage
Thanks, @NetMage. Found issue: when adding the MSA to app pool as its identity, I was not adding `myDomain`. Once it was there, it was happy.Alex
Instead of posting your solution as an update, post it as an answer and accept it.Lex Li
Thanks, @LexLi. I’ll answer it when I get back to the office.Alex

1 Answers

0
votes

The issue had to do with missing the domain when setting the MSA as the app pool identity. When adding it, I needed to set it as myDomain\someMsa$ instead of simply someMsa$. What's strange is how IIS didn't give an error, perhaps because the MSA account was considered both a local and domain account.

Also, in our case, we didn't need the "Log on as a batch" permission for the MSA. It worked fine without it.