IIS 7.5 app pools and MySQL SSL issues
Posted: Wed 15 Jun 2011 23:37
Requires: Windows 7 (or 2008) with IIS 7.5 (not IIS 7)
Devart version: 6.30.160.0
Steps to Reproduce:
1. Create an ASP.Net web application (or web service) that is configured to connect to MySQL database using database SSL
2. Add two virtual applications on IIS 7.5 to run on separate app pools (AppPoolA and AppPoolB) using the application created in Step 1.
3. Configure the app pools to run as "Network Service" instead of "ApplicationPoolId" identity.
4. Make a request to a page in the web application that connects to the database that is part of AppPoolA. (This step should succeed).
5. Make a request to a page in the web application that connects to the database that is part of AppPoolB. (This step fails with "2026: Could not read client key error" or "Couldn't acquire crypto service provider context").
Reason:
Under "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" folder, the key container file created does not add "Network Service" to the ACL. Instead it adds only "AppPoolA" to the list and the "AppPoolB" has no access on it.
The ACL should be on the SID of the account that the app pool is configured for. In this case, the "Network Service" account.
Note that this problem does not appear when the app pools are configured to use "ApplicationPoolId" and in that case two key container files are created, one for each app group.
Please advise.
Devart version: 6.30.160.0
Steps to Reproduce:
1. Create an ASP.Net web application (or web service) that is configured to connect to MySQL database using database SSL
2. Add two virtual applications on IIS 7.5 to run on separate app pools (AppPoolA and AppPoolB) using the application created in Step 1.
3. Configure the app pools to run as "Network Service" instead of "ApplicationPoolId" identity.
4. Make a request to a page in the web application that connects to the database that is part of AppPoolA. (This step should succeed).
5. Make a request to a page in the web application that connects to the database that is part of AppPoolB. (This step fails with "2026: Could not read client key error" or "Couldn't acquire crypto service provider context").
Reason:
Under "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" folder, the key container file created does not add "Network Service" to the ACL. Instead it adds only "AppPoolA" to the list and the "AppPoolB" has no access on it.
The ACL should be on the SID of the account that the app pool is configured for. In this case, the "Network Service" account.
Note that this problem does not appear when the app pools are configured to use "ApplicationPoolId" and in that case two key container files are created, one for each app group.
Please advise.