When installing the ILM password management application on a Windows 2008 server, you might run into trouble with the IIS_WPG group.
As of Windows 2008 (IIS7), the IIS_WPG group does not exist anymore.
Windows 2008 uses another group IIS_IUSRS for the purpose of supporting the IIS application pools.
If you want to know more about this, check these links:
I found a work-around, but there is no guarantee whatever, I don’t know if it’s supported or not.
Proceed at your own risk.
The setup files are on the ILM 2007 CD/image (%CDDRIVE%\MIIS\Password Management)
When installing the application, by running the MSI, the wizard asks for the credentials of the application pool account to install.
But when you have filled in the credentials of the service account (created previously), you might run into this error message.
“Could not add the user account to IIS_WPG group. Check user account name and domain name.”
After a few attempts, changing the credentials, changing the PasswordSet Group name, … still no luck…
It appears that :
– the PasswordSet group must be a “Domain Local” security group (No global or universal)
– the IIS_WPG group must be created as “Domain local”.
Next I got the message that the user account was invalid.
Nothing to bypass this time, except for entering the administrator user name.
The install succeeded.
REMARK: this is just a confirmation that the application was installed.
I cannot confirm yet that is actually works. (To be tested later)
- – Windows 2008 uses IIS_IUSRS as security group for IIS services
- – The admin account has been added to the application pool
First of all: make sure that the service account you wish to use has proper permissions and rights (like running as a service)
You’ll find the documentation of that on the net, for sure.
Add the service account to the IIS_WPG group (for this example : DEMO\PWDMGMT_SVC).
Also : aAdd the service account to the MIISPasswordSet group (for this example : DEMO\PWDMGMT_SVC).
Next, the application pool for the password management application has been installed with the admin account.
Open the IIS management console and look for the PasswordAppPool.
Check the advanced properties and change the account to the service account (do not forget the domain prefix).
Now you need to change the groups, because:
– Windows 2008 uses IIS_IUSRS as security group for IIS services
– MIISPasswordSet group should be Domain global, AFAIK
– A domain local group cannot be added to AD domain local group, should be domain global or universal (IIS_WPG –> IIS_IUSRS)
Nice feature of WIndows 2008 is : you can change the group scope (domain local <-> universal <-> domain global )
Check the properties of the MIISPasswordSet group.
It’s a domain local
Switch the group scope to universal en click apply.
It should now show all group scope option available.
Switch the group scope option to global.
Same thing for the IIS_WPG group, switch it to “domain global”, as shown below.
Next, add the IIS_WPG group to the IIS_IUSRS.
If you cannot browse the application, check the event viewer.
Check for an ASP.NEt error like
“A request mapped to aspnet_isapi.dll was made within an application pool running in Integrated .NET mode.
Aspnet_isapi.dll can only be used when running in Classic .NET mode.
Please either specify preCondition="ISAPImode" on the handler mapping to make it run only in application pools running in Classic .NET mode, or move the application to another application pool running in Classic .NET mode in order to use this handler mapping.”,
If you get this error, you might need to switch the IIS application pool ’Managed pipeline mode’ to Classic (instead of integrated).