asp.netapplication-poolunauthorizedaccessexceptiservermanagerapplicationpoolidentity

Can I use ServerManager from Microsoft.Web.Administration without admin user as an application pool identity


I want to read some settings of the application pool using the ServerManager object from the Microsoft.Web.Administration.dll. The problem is that it works only if the identity of the application pool is a windows user with administrator privileges. Otherwise I am getting UnauthorizedAccessException - Filename: redirection.config; Error: Cannot read configuration file due to insufficient permissions. Is there any workaround about this issue. My code is the following:

        ServerManager manager = new ServerManager();
        string currentSiteName = System.Web.Hosting.HostingEnvironment.SiteName;
        Site currentSite = manager.Sites[currentSiteName];
        string appVirtaulPath = HttpRuntime.AppDomainAppVirtualPath;

        string appPoolName = string.Empty;
        foreach (Application app in currentSite.Applications)
        {
            string appPath = app.Path;
            if (appPath == appVirtaulPath)
            {
                appPoolName = app.ApplicationPoolName;
            }
        }

        ApplicationPool currentAppPool = manager.ApplicationPools[appPoolName];

Thanks!


Solution

  • No, there is no workaround to read the configuration file without causing a big security concern. What are you trying to accomplish?

    If reading configuration settings, you can use an API in the same DLL that will give you read-only configuration access for that site settings, such as reading web.config or values in applicationHost.config for that site only, and not encrypted ones (such as passwords). The API is called WebConfigurationManager and has a static method called GetSection, such as WebConfigurationManager.GetSection("system.webServer/defaultDocument")

    See: https://msdn.microsoft.com/en-us/library/microsoft.web.administration.webconfigurationmanager.getsection.aspx

    However, several settings (namely all the ones used to start the process w3wp.exe) are not possible to be read through that API. Short story: Unfortunately for security reasons many of those settings are not possible to be read from a worker process. There are some things you can read using server variables such as Request.ServerVariables["APP_POOL_ID"]), or Request.ServerVariables["APP_POOL_CONFIG"]). Of course bitness you could calculate the size of a pointer (4 or 8), or use environment variables (like PROCESSOR_ARCHITECTURE)

    Longer story: In IIS for security reasons we take the applicationHost.config file and we split it into smaller application pool.config files (by default located at C:\inetpub\temp\appPools) which are isolated for security reasons so that even if untrusted code were to run in the process (w3wp.exe) to try to steal/read the settings of other sites it would be physically impossible. You can open the file and see which settings are there and you can read those. You'll notice the appPools section is missing entirely since that is only used by WAS to start w3wp.exe.