Programmatically set up user account for custom identity application pool in IIS 7

Question

In my C# code I need to create a custom identity for my web application and add it to IIS 7. I do the following:

string strAppPoolName = "MyAppPool";
string strUserName = Environment.UserDomainName + "\\" + "myappusername";

addUserAccount(strUserName, strUserPass);

using (ServerManager serverManager = new ServerManager())
{
    //Add application pool
    ApplicationPool appPool = serverManager.ApplicationPools.Add(strAppPoolName);
    appPool.AutoStart = true;

    appPool.ManagedPipelineMode = ManagedPipelineMode.Integrated;
    appPool.ManagedRuntimeVersion = "v4.0";

    appPool.ProcessModel.MaxProcesses = 1;

    //Assign identity to a custom user account
    appPool.ProcessModel.IdentityType = ProcessModelIdentityType.SpecificUser;
    appPool.ProcessModel.UserName = strUserName;
    appPool.ProcessModel.Password = strUserPass;
}

Where the user is added to the Active Directory as such:

public static void addUserAccount(string sUserName, string sPassword)
{
    using (PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain))
    {
        using (UserPrincipal up = new UserPrincipal(oPrincipalContext))
        {
            up.SamAccountName = sUserName;
            up.SetPassword(sPassword);
            up.Enabled = true;
            up.PasswordNeverExpires = true;
            up.Description = "My app's user account";

            up.Save();
        }
    }
}

The issue is that when I later add my site and application to IIS 7 under that application pool, the web application cannot run because it does not have sufficient permissions. More importantly for me, some of the .NET classes, such as System.Security.Cryptography fail with unexpected error codes even if I manually set read/write permissions for this new user account to the file system folder where my web app is installed.

So while doing a research I found the following statement :

If you use a custom identity, make sure that the user account you specify is a member of the IIS_IUSRS group on the Web server so that the account has proper access to resources. Additionally, when you use Windows and Kerberos authentication in your environment, you might need to register a Service Principle Name (SPN) with the domain controller (DC).

So, how do you do this?

Answer 1

If you need to add that account to the IIS_IUSERS group, (which is local on the machine) you can use the GroupPrincipal for that. Keep in mind to create a PrincipalContext that is local for your machine, instead of the Domain one you used for the user. You can simply find the group by identity and then add the new created user to the Members collection. The Add method has an overload that accepts an UserPrincipal .

Your code would like this:

using (PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain))
{
    using (PrincipalContext oGroupContext = new PrincipalContext(ContextType.Machine))
    {
        // find the local group IIS_IUSRS
        using(var gp = GroupPrincipal.FindByIdentity(oGroupContext,"IIS_IUSRS"))
        {
            using (UserPrincipal up = new UserPrincipal(oPrincipalContext))
            {
                up.SamAccountName = sUserName;
                up.SetPassword(sPassword);
                up.Enabled = true;
                up.PasswordNeverExpires = true;
                up.Description = "My app's user account";

                up.Save();

                // add new user to Members of group
                gp.Members.Add(up);
                // save before Disposing!
                gp.Save();
            }
         }
    }
}