TechQA.

appcmd.exe set config doesn't check if username or password is invalid and sets it anyways

894 views Asked by At

I'm using winexe from my backend api to run commands on Windows Domain Server. I want to set IIS App Pool Identity as an Account from Active Directory. The problem is that while using this command :

%windir%\system32\inetsrv\appcmd.exe set config /section:applicationPools ^
/[name='POOLNAME'].processModel.identityType:SpecificUser ^
/[name='POOLNAME'].processModel.userName:DOMAIN\USER ^
/[name='POOLNAME'].processModel.password:PASSWORD

It runs successfully everytime even if the username and password is incorrect. Even the pool gets Started with wrong password. However setting wrong password through GUI fails.

I want to identify when the password or username is being set wrongly.

PS: I even tried using Set-ItemProperty on powershell and the result was the same.

windows powershell iis cmd winexe
Original Q&A
2

There are 2 answers

0
Sage Pourpre On BEST ANSWER

You can't test your credentials with AppPool, but you can definitely test them.

# Service Principal credentials
$username = 'Username'
$password = 'Password' | ConvertTo-SecureString -AsPlainText -Force
$credential = New-Object -TypeName 'System.Management.Automation.PSCredential' -ArgumentList $username, $password


if (Test-Credential -Credential $credential) {
    Write-Verbose "Credentials for $($credential.UserName) are valid..."
    # do the appcmd stuff
}
else {
    Write-Warning 'Credentials are not valid or some other logic'
}

Just add Test-Credential function definition at the top of your script

function Test-Credential {
    [CmdletBinding()]
    Param
    (
        # Specifies the user account credentials to use when performing this task.
        [Parameter()]
        [ValidateNotNull()]
        [System.Management.Automation.PSCredential]
        [System.Management.Automation.Credential()]
        $Credential = [System.Management.Automation.PSCredential]::Empty
    )
   
    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
    $DS = $null
    $Username = $Credential.UserName
    $SplitUser = $Username.Split('\')
    if ($SplitUser.Count -eq 2 ) {$Username = $SplitUser[1]}
    
    if ($SplitUser.Count -eq 1 -or $SplitUser[0] -eq $env:COMPUTERNAME ) {
        $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('machine', $env:COMPUTERNAME)
    }
    else {
        try {
            $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('domain')
        }
        catch {
            return $false
        }
    }
        
    $DS.ValidateCredentials($Username, $Credential.GetNetworkCredential().Password)
   
}

(PS: Code is valid even though prettifier break with backslash quote syntax)

0
mtneagle On

amazingly i puzzled out that you can do it like this - but it still doesn't validate

appcmd set apppool junkapp /processmodel.password:junkpassword

Related Questions in WINDOWS

Related Questions in POWERSHELL

Related Questions in IIS

Related Questions in CMD

Related Questions in WINEXE

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions