Installing ILM password application on Windows 2008

When installing the ILM password management application on a Windows 2008 server, you might run into trouble with the IIS_WPG group.

As of Windows 2008 (IIS7), the IIS_WPG group does not exist anymore.
Windows 2008 uses another group IIS_IUSRS for the purpose of supporting the IIS application pools.

If you want to know more about this, check these links:

I found a work-around, but there is no guarantee whatever, I don’t know if it’s supported or not.
Proceed at your own risk.

The setup files are on the ILM 2007 CD/image (%CDDRIVE%\MIIS\Password Management)

When installing the application, by running the MSI, the wizard asks for the credentials of the application pool account to install.

image1

But when you have filled in the credentials of the service account (created previously), you might run into this error message.

“Could not add the user account to IIS_WPG group. Check user account name and domain name.”

 image2

After a few attempts, changing the credentials, changing the PasswordSet Group name, … still no luck…

It appears that :

– the PasswordSet group must be a “Domain Local” security group (No global or universal)

– the IIS_WPG group must be created as “Domain local”.

Next I got the message that the user account was invalid.
Nothing to bypass this time, except for entering the administrator user name.

image3

The install succeeded.

 image14 

REMARK: this is just a confirmation that the application was installed.
I cannot confirm yet that is actually works. (To be tested later)

 

But:

  • – Windows 2008 uses IIS_IUSRS as security group for IIS services
  • – The admin account has been added to the application pool

First of all: make sure that the service account you wish to use has proper permissions and rights (like running as a service)

You’ll find the documentation of that on the net, for sure.

Add the service account to the IIS_WPG group (for this example : DEMO\PWDMGMT_SVC).

 image4

Also : aAdd the service account to the MIISPasswordSet group (for this example : DEMO\PWDMGMT_SVC).

 image5

Next, the application pool for the password management application has been installed with the admin account.
Open the IIS management console and look for the PasswordAppPool.

 image6

Check the advanced properties and change the account to the service account (do not forget the domain prefix).

 image7

Now you need to change the groups, because:

– Windows 2008 uses IIS_IUSRS as security group for IIS services

– MIISPasswordSet group should be Domain global, AFAIK

– A domain local group cannot be added to AD domain local group, should be domain global or universal (IIS_WPG –> IIS_IUSRS)

 

Nice feature of WIndows 2008 is : you can change the group scope (domain local <-> universal <-> domain global )

Check the properties of the MIISPasswordSet group.

It’s a domain local

 image8

Switch the group scope to universal en click apply.

 image9

It should now show all group scope option available.

 image10

Switch the group scope option to global.

 image11

 

Same thing for the IIS_WPG group, switch it to “domain global”, as shown below.

 image12

Next, add the IIS_WPG group to the IIS_IUSRS.

 image13

If you cannot browse the application, check the event viewer.

Check for an ASP.NEt error like

“A request mapped to aspnet_isapi.dll was made within an application pool running in Integrated .NET mode. 

Aspnet_isapi.dll can only be used when running in Classic .NET mode. 

Please either specify preCondition="ISAPImode" on the handler mapping to make it run only in application pools running in Classic .NET mode, or move the application to another application pool running in Classic .NET mode in order to use this handler mapping.”,

If you get this error, you might need to switch the IIS application pool ’Managed pipeline mode’ to Classic (instead of integrated).

image

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s