Why
When constrained delegation is put on a machine all the worker pools must be set to use the identity of the account for which constrained delegation has been set.What you need
A copy of iis_adsutil.vbs,This script below (also in zip) that you can hack on the fly:
Set fso = CreateObject("Scripting.FileSystemObject")
Set ts = fso.OpenTextFile("appools.txt", 1)
Set ipList = CreateObject("Scripting.Dictionary")
Do Until ts.AtEndOfStream
' Read line from file
sLine = ts.ReadLine
'CreateAppPool sLine
SetAppPoolId sLine
Loop
ts.Close
Sub SetAppPoolId(strAppPool)
Set objAppPools = GetObject("IIS://localhost/W3SVC/AppPools")
Set objPool = GetObject("IIS://localhost" & strAppPool)
'configurable identity
objPool.AppPoolIdentityType = 3
'set username
objPool.WAMUserName = "domain\account"
'set password
objPool.WAMUserPass = "passoword"
objPool.SetInfo
end Sub
Sub CreateAppPool(strAppPool)
Set objAppPools = GetObject("IIS://localhost/W3SVC/AppPools")
Set objAppPool = objAppPools.Create("IIsApplicationPool", strAppPool)
objAppPool.SetInfo
'Set objPool = GetObject("IIS://localhost/W3SVC/AppPools/" & strAppPool)
'configurable identity
'objPool.AppPoolIdentityType = 3
'set username
'objPool.WAMUserName = "USERNAME"
'set password
'objPool.WAMUserPass = "passoword"
'objPool.SetInfo
end Sub
sub SetAppPool(ObjApp)
set vDir = GetObject("IIS://localhost/W3svc/1/Root/" & ObjApp)
vDir.Put "AppPoolID", ObjApp
vDir.SetInfo
WScript.Echo "AppPool " & vDir.AppPoolId
end Sub
What to do
This isn’t step by step stuff – I expect you to apply some grey matter.A the command prompt do iis_adsutil.vbs ENUM /P W3SVC/apppools > appools.txt
This creates a text file with all the app pool names.
Edit the file to remove the leading ‘[‘ and trailing ‘]’.
Run the script above which reads the file and setts the WAMUserName and WAMUserPass on the app pool.
Additional Steps
The account will also need to be put into the IIS_WPG group.
The same account needs permission (READ/LIST Folder) on the C: Windows/Temp folder on the server.
The same account needs permission (READ/LIST Folder) on the C: Windows/Temp folder on the server.
No comments:
Post a Comment