windowspowershelliiscmdwinexe

appcmd.exe set config doesn't check if username or password is invalid and sets it anyways

I'm using winexe from my backend api to run commands on Windows Domain Server. I want to set IIS App Pool Identity as an Account from Active Directory. The problem is that while using this command :

%windir%\system32\inetsrv\appcmd.exe set config /section:applicationPools ^
/[name='POOLNAME'].processModel.identityType:SpecificUser ^
/[name='POOLNAME'].processModel.userName:DOMAIN\USER ^
/[name='POOLNAME'].processModel.password:PASSWORD

It runs successfully everytime even if the username and password is incorrect. Even the pool gets Started with wrong password. However setting wrong password through GUI fails.

I want to identify when the password or username is being set wrongly.

PS: I even tried using Set-ItemProperty on powershell and the result was the same.

Solution

  • You can't test your credentials with AppPool, but you can definitely test them.

    # Service Principal credentials
$username = 'Username'
$password = 'Password' | ConvertTo-SecureString -AsPlainText -Force
$credential = New-Object -TypeName 'System.Management.Automation.PSCredential' -ArgumentList $username, $password


if (Test-Credential -Credential $credential) {
    Write-Verbose "Credentials for $($credential.UserName) are valid..."
    # do the appcmd stuff
}
else {
    Write-Warning 'Credentials are not valid or some other logic'
}

    Just add Test-Credential function definition at the top of your script

    function Test-Credential {
    [CmdletBinding()]
    Param
    (
        # Specifies the user account credentials to use when performing this task.
        [Parameter()]
        [ValidateNotNull()]
        [System.Management.Automation.PSCredential]
        [System.Management.Automation.Credential()]
        $Credential = [System.Management.Automation.PSCredential]::Empty
    )
   
    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
    $DS = $null
    $Username = $Credential.UserName
    $SplitUser = $Username.Split('\')
    if ($SplitUser.Count -eq 2 ) {$Username = $SplitUser[1]}
    
    if ($SplitUser.Count -eq 1 -or $SplitUser[0] -eq $env:COMPUTERNAME ) {
        $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('machine', $env:COMPUTERNAME)
    }
    else {
        try {
            $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('domain')
        }
        catch {
            return $false
        }
    }
        
    $DS.ValidateCredentials($Username, $Credential.GetNetworkCredential().Password)
   
}

    (PS: Code is valid even though prettifier break with backslash quote syntax)