How to check and modify the application pool identity

The SquaredUp DS web application runs using an ASP.NET application pool process. This process can be configured to run as a specific user, which is called the application pool identity.

When connecting to SCOM, SquaredUp DS normally uses the end user's identity instead of the application pool identity, but the application pool identity is used for the following important tasks:

• Accessing local files (e.g. log file, configuration files) on the web server
• Connecting to the SCOM Data Warehouse
• Connecting to SCOM to render Open Access dashboards
• Connecting to other SQL and Web API data sources
• Running PowerShell scripts (unless configured otherwise)
• Performing Kerberos authentication and delegation when Windows authentication is enabled

By default, the application pool is configured to use the NetworkService identity, which appears as the Active Directory computer account when accessing network resources.

You may want to change the application pool identity to an Active Directory user account created specifically for SquaredUp DS, for example when using Kerberos delegation. This is called a domain service account.

If you change the application pool identity after installation, you must follow the instructions below.

You can specify a different application pool identity for a new installation using the modify option on the Ready to Deploy page of a new SquaredUp DS installation. This sets up the correct file permissions automatically.

Viewing the application pool identity

1. Confirm the name of the SquaredUp DS application pool.

   1. In IIS expand Default Web Site and right-click on the SquaredUp DS website.

   2. Go to Manage Application > Advanced Settings.

   3. Check the name of the Application Pool

      The default SquaredUp application pool for v6 and above is SquaredUp. For v5 it is SquaredUpv5, and for v4 SquaredUpv4.

2. View the application pool identity.

   1. In IIS, click on Application Pools.

   2. Right-click on your SquaredUp DS application pool, and select Advanced Settings.

   3. Under Process Model, you will see Identity. By default this is set to NetworkService, but if you wish to change the application pool identity you can change it here.

Modifying the application pool identity

1. Enter the credentials for the new app pool identity.

   How to change the app pool identity

   1. In IIS, click on Application Pools.

   2. Right-click on your SquaredUp DS application pool, and select Advanced Settings.

   3. Under Process Model, you will see Identity. By default this is set to NetworkService, but if you wish to change the application pool identity you can change it here.

2. Configure file permissions on the SquaredUp server.

   The account you are logging into SquaredUp DS with has no effect on disk read/write permissions. What is important is the identity (user account) of the IIS application pool used by SquaredUp DS.

   On SquaredUp DS v5.1 and above it is not necessary to reconfigure the file permissions on the SquaredUp server after changing the application pool identity. If you are using high availability continue to the next section, otherwise go to the Data Warehouse section below.

   How to configure file permissions on the SquaredUp server

   1. Open a command prompt as an administrator (from Start > Run type command prompt, right-click on the Command Prompt icon and click Run as administrator).

   2. Navigate to the instance for which you wish to change authentication.

      For example:

      cd C:\inetpub\wwwroot\SquaredUp

      Where to find the SquaredUp folder

      Name of the SquaredUp folder

      The default name of the SquaredUp folder is SquaredUp for v6 and above.

      For v5 it is SquaredUpv5, and for v4 SquaredUpv4.

      Location of the SquaredUp folder

      A custom location may have been chosen during the installation.

      The default location for the SquaredUp folder is C:\inetpub\wwwroot\SquaredUp

      For v5 it is C:\inetpub\wwwroot\SquaredUpv5 and for v4 C:\inetpub\wwwroot\SquaredUpv4.

   3. Run the SquaredUp command with permissions

      squaredup permissions --user="DOMAIN\USER"

      Where DOMAIN is your domain and USER is the SquaredUp DS application pool identity.

      For example, if the application pool identity has been changed to a user called svc-squaredup in the domain sales you would type

      squaredup permissions --user="sales\svc-squaredup"

      If your SquaredUp DS application pool identity is NetworkService and you need to re-apply the correct permissions for NetworkService then type:

      squaredup permissions --user="networkservice"

      What is the SquaredUp command for older versions?

      The SquaredUp command for v6 and above is SquaredUp. This is followed by an operator for the task you are carrying out, for example SquaredUp forms, SquaredUp windows, or SquaredUp ha.

      The SquaredUp command for v5 it is SquaredUp5, and for v4 SquaredUp4.

3. For PowerShell Run As accounts: Add the app pool identity to the necessary policies.

   If you don't use the default NetworkService as your application pool identity, you might see the following error message when using Run As accounts: A required privilege is not held by the client.

   In this case you need to add the application pool identity to the following policies:

   • Adjust memory quotas for a process

   • Replace a process-level token (you need to reboot the server for this policy to take effect)

4. Configure any other Windows authentication data sources.

   If you have tiles that use queries or scripts to access data sources that are using Windows authentication, you need to make sure that the new SquaredUp DS app pool identity has the required permissions to run the queries or scripts. This can apply to SQL, Web API, or PowerShell tiles.

   For SQL tiles:

   See How to configure access to a database for use with the SQL tile

   For Web API tiles:

   If you are querying an API that is using Windows authentication, you have to give the new app pool identity permission to access the API. How this is done depends on how you manage the API.

   For PowerShell tiles:

   This only applies if you are running your scripts as SquaredUp DS app pool, which is not recommended (see How to use the PowerShell tile). If you are using the SquaredUp DS app pool and the service you are accessing with your script uses Windows authentication, you need to give the new app pool identity permissions for the external service. How this is done depends on how you manage the service you are accessing.

5. Configure file permissions on the HA share.

   If you have configured high availability (see Enabling High Availability) then you will need to give the application pool the correct permissions to your HA share.

   Run the SquaredUp command with permissions

   Example for giving the app pool permissions to your HA share

   squaredup permissions --destination="<Your shared folder here>" --user="DOMAIN\USER"

   Where <Your shared folder here> should be replaced by a drive or path specification for your network share, DOMAIN is your domain and USER is the SquaredUp DS application pool identity.

   For example:

   squaredup permissions --destination="\\myhost\folder" --user="sales\svc-squaredup"

   If your SquaredUp DS application pool identity is NetworkService you should run the following command for each of the Primary and Secondary server(s):

   squaredup permissions --destination="\\myhost\folder" --user="DOMAIN\SquaredUpServer$"

   For example:

   squaredup permissions --destination="\\myhost\folder" --user="DOMAIN\squp01$"

   Where DOMAIN is your domain and SquaredUpServer$ is Primary server name where SquaredUp DS is installed, with a $ on the end.

   Repeat the above command for the Secondary SquaredUp web server(s), changing the SquaredUpServer$ for each SquaredUp server name.

   For example:

   squaredup permissions --destination="\\myhost\folder" --user="DOMAIN\squp02$"

   What is the SquaredUp command for older versions?

   The SquaredUp command for v6 and above is SquaredUp. This is followed by an operator for the task you are carrying out, for example SquaredUp forms, SquaredUp windows, or SquaredUp ha.

   The SquaredUp command for v5 it is SquaredUp5, and for v4 SquaredUp4.

6. Configure the Data Warehouse permissions.

   If the SquaredUp DS application pool identity has been changed you will need to give the new account access to the Data Warehouse.

   How to give the new app pool identity access to the Data Warehouse

   1. On the SquaredUp server log in to SquaredUp DS as a SCOM admin user, who is also a SQL sysadmin for the Data Warehouse database (see How to make a user a SQL sysadmin).

   2. Browse to http://localhost/SquaredUp/setup?stage=datawarehouse

      What is the SquaredUp DS URL?

      If you used the downloadable installer:

      By default, the URL to your SquaredUp DS instance is: http://SquaredUpServer/SquaredUpInstance

      SquaredUpServer is the name of the server where SquaredUp DS is installed.

      By default, SquaredUpInstance is SquaredUp. For v5 it is SquaredUpv5 and for v4 SquaredUpv4. If you gave your SquaredUp DS instance a different application name when you installed it, use the name you chose.

      On the server it would be http://localhost/SquaredUp

      This grants the application pool identity permission to access the Data Warehouse database.

      When using Windows authentication this step must be carried out on the SquaredUp server.

      If the user you are logged in as does not have SQL sysadmin permissions then you may need to configure the Data Warehouse permissions manually (see Manually creating the Data Warehouse permissions).

   3. Check that graphs are shown in SquaredUp DS, for example on a server page. You may need to wait a few moments and refresh the page.

      

7. Configure the Open Access permissions.

   If the application pool identity has been changed you will need to give the new account read-only permissions in SCOM to allow Open Access to work. If you completed the section above for the Data Warehouse, you may already have clicked next in the set up wizard to configure this.

   How to give the new app pool identity Open Access permissions

   1. On the SquaredUp server log in to SquaredUp DS as a SCOM admin user, who is also a SQL sysadmin for the Data Warehouse database (see How to make a user a SQL sysadmin).

   2. Browse to http://localhost/SquaredUp/setup?stage=openaccess

      This gives the application pool account read-only permissions in SCOM.

      When using Windows authentication this step must be carried out on the SquaredUp server.

      If the setup wizard is unable to configure Open Access, then you can manually configure Open Access (see Sharing Dashboards with anyone - Open Access).

   3. Check that you can make a page available as Open Access and view it, see Sharing Dashboards with anyone - Open Access for more information.

8. Update any SPNs or Kerberos constrained delegation settings.

   If you have previously enabled Windows authentication with Kerberos constrained delegation then you will need to update your SPNs and Kerberos delegation settings to use the new account. Review the appropriate sections on Windows authentication (see User authentication methods for SquaredUp DS for SCOM), checking for use of the application pool identity.