IIS app pool identity is entered incorrectly from powershell script

Question

I'm writing a powershell script to install my application and configure the web application identity for a specific user.

The code i'm using is:

    $pool.processModel.identityType = 3
    $AppPoolUsername = Read-Host "User name(domain\username)"
    $AppPoolPassword = Read-Host "Password" -AsSecureString
    $pool.processModel.userName = [string]$AppPoolUsername`enter code here`
    $pool.processModel.password = [string]$AppPoolPassword

After I ran the script I ran the application and the App Pool is stopped. If i will manually enter the app pool identity it will not stopped and the web application will work.

I tried to convert the password from a securestring to a regular string with no success with this code:

    $AppPoolPassword = Read-Host -Prompt "Password" -AsSecureString
    $pool.processModel.userName = [string]$AppPoolUsername
    $pool.processModel.password = ConvertFrom-SecureString -SecureString $AppPoolPassword

I get "01000000d08c9ddf0115d1118c7a00c04fc297eb010000006876492ae8edf3429d809bb3ca213d910000000002000000000003660000c000000010000000ebd2f4fc7a59a92ad8cb2c4 9b99498fc0000000004800000a0000000100000007ffdc206c4eeb7c67237d24e575f86ff08000000fe8c91a31879d93014000000fee1ff6c8aa4fe66e9debe245e7ea3fd26fc823a" when checking the app pool password.

Is that right or should i get the regular string i input?

Am I at the right direction?

Answer 1

Here is one way to do it, using NetworkCredential to unwrap the hidden SecureString that's not supported by the application pool configuration API.

$AppPoolUsername = Read-Host "User name(domain\username)"
$AppPoolPassword = Read-Host "Password" -AsSecureString

# We cannot pass the password as a SecureString directly to
# the app pool configuration. NetworkCredential is at least
# one possible way to access the hidden clear text password.
$netcred = New-Object System.Net.NetworkCredential "unused",$AppPoolPassword

$pool.processModel.identityType = 3
$pool.processModel.userName = $AppPoolUsername
$pool.processModel.password = $netcred.Password
$pool | Set-Item

Answer 2

Not sure I completely understand what you're saying but are you calling $pool | set-item

Are you saying that after running the script the AppPool works but is just stopped? If so, you can easily start the AppPool using Start-WebAppPool -Name AppPoolName

Or you can try Set-ItemProperty iis:\\AppPools\\AppPoolName -name processModel -value @{userName="Domain\\UserName";password="Password";identitytype=3}

Answer 3

The processmodel's password MUST be a plain text unfortunately.

For the secureString, it cannot directly be assigned to the password property.

@Oskar Berggren has a nice way around it but if you get the string directly from a 'Read-Host', the best would be to keep it as a plain text (Remove -AsSecureString) and assign it directly to the password property. In the contrary, if you plan on persisting the secureString, then use @Oskar Berggren's way to get your plain password back.

Answer 4

Chen,

When you send your password into the process model password field, it needs to be plain text. You are reading the password from a user as a secure string (which is correct) but you need to convert it back to plain text. The conversion command that I use is: $textpassword = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securestringpassword))

So, updating your code sample, the code below should work for you:

#input from user
$AppPoolUsername = Read-Host "User name(domain\username)"
$AppPoolPassword = Read-Host "Password" -AsSecureString
$AppPoolName = Read-Host "App pool name"

#instantiate new app pool
$newAppPool = New-Item IIS:\AppPools\$AppPoolName;
$newAppPool.processModel.identityType = 3;
$newAppPool.processModel.userName = $AppPoolUsername
$newAppPool.processModel.password = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($AppPoolPassword))
$newAppPool | Set-Item;

Hopefully this helps.