How to check and modify the application pool identity
The Dashboard Server web application runs using an ASP.NET application pool process. This process can be configured to run as a specific user, which is called the application pool identity.
When connecting to SCOM, Dashboard Server normally uses the end user's identity instead of the application pool identity, but the application pool identity is used for the following important tasks:
- Accessing local files (e.g. log file, configuration files) on the web server
- Connecting to the SCOM Data Warehouse
- Connecting to SCOM to render Open Access dashboards
- Connecting to other SQL and Web API data sources
- Running PowerShell scripts (unless configured otherwise)
- Performing Kerberos authentication and delegation when Windows authentication is enabled
By default, the application pool is configured to use the NetworkService identity, which appears as the Active Directory computer account when accessing network resources.
You may want to change the application pool identity to an Active Directory user account created specifically for Dashboard Server, for example when using Kerberos delegation. This is called a domain service account.
If you change the application pool identity after installation, you must follow the instructions below.
You can specify a different application pool identity for a new installation using the modify option on the Ready to Deploy page of a new Dashboard Server installation. This sets up the correct file permissions automatically.
Viewing the application pool identity
Confirm the name of the Dashboard Server application pool.
In IIS expand Default Web Site and right-click on the Dashboard Server website.
Go to Manage Application > Advanced Settings.
Check the name of the Application Pool, which by default is
SquaredUpv5orSquaredUpv4depending on your version of Dashboard Server.
View the application pool identity.
In IIS, click on Application Pools.
Right-click on your Dashboard Server application pool, for example SquaredUpv5 and select Advanced Settings.
Under Process Model, you will see Identity. By default this is set to NetworkService, but if you wish to change the application pool identity you can change it here.
Modifying the application pool identity
Enter the credentials for the new app pool identity.
How to change the app pool identityIn IIS, click on Application Pools.
Right-click on your Dashboard Server application pool, for example SquaredUpv5 and select Advanced Settings.
Under Process Model, you will see Identity. By default this is set to NetworkService, but if you wish to change the application pool identity you can change it here.
Configure file permissions on the SquaredUp server.
The account you are logging into Dashboard Server with has no effect on disk read/write permissions. What is important is the identity (user account) of the IIS application pool used by Dashboard Server.
On Dashboard Server v5.1 and above it is not necessary to reconfigure the file permissions on the SquaredUp server after changing the application pool identity. If you are using high availability continue to the next section, otherwise go to the Data Warehouse section below.
How to configure file permissions on the SquaredUp server- Open a command prompt as an administrator (from Start > Run type
command prompt, right-click on the Command Prompt icon and click Run as administrator). Access your Dashboard Server folder, for example:
Where to find the SquaredUp folder Name of the SquaredUp folder
The name of the SquaredUp folder is
SquaredUpvfollowed by theproduct version number.Location of the SquaredUp folder
The default location for the SquaredUp folder is
C:\inetpub\wwwroot\SquaredUpv[Version Number], but a custom location may have been chosen during the installation.
For example, for Dashboard Server v5 the default folder location isC:\inetpub\wwwroot\SquaredUpv5and for v4C:\inetpub\wwwroot\SquaredUpv4Type:
squaredup5 permissions --user="DOMAIN\USER"For Dashboard Server v4 use:
squaredup4 permissions --user="DOMAIN\USER"Where
DOMAINis your domain andUSERis the Dashboard Server application pool identity.For example, if the application pool identity has been changed to a user called svc-squaredup in the domain sales you would type
squaredup5 permissions --user="sales\svc-squaredup"If your Dashboard Server application pool identity is NetworkService and you need to re-apply the correct permissions for NetworkService then type:
squaredup5 permissions --user="networkservice"
- Open a command prompt as an administrator (from Start > Run type
For PowerShell Run As accounts: Add the app pool identity to the necessary policies.
If you don't use the default NetworkService as your application pool identity, you might see the following error message when using Run As accounts: A required privilege is not held by the client.
In this case you need to add the application pool identity to the following policies:
Adjust memory quotas for a process
Replace a process-level token (you need to reboot the server for this policy to take effect)
Configure any other Windows authentication data sources.
If you have tiles that use queries or scripts to access data sources that are using Windows authentication, you need to make sure that the new Dashboard Server app pool identity has the required permissions to run the queries or scripts. This can apply to SQL, Web API, or PowerShell tiles.
For SQL tiles:
See How to configure access to a database for use with the SQL tile
For Web API tiles:
If you are querying an API that is using Windows authentication, you have to give the new app pool identity permission to access the API. How this is done depends on how you manage the API.
For PowerShell tiles:
This only applies if you are running your scripts as Dashboard Server app pool, which is not recommended (see How to use the PowerShell tile). If you are using the Dashboard Server app pool and the service you are accessing with your script uses Windows authentication, you need to give the new app pool identity permissions for the external service. How this is done depends on how you manage the service you are accessing.
Configure file permissions on the HA share.
If you have configured high availability (see Enabling High Availability) then you will need to give the application pool the correct permissions to your HA share.
Example for giving the app pool permissions to your HA sharesquaredup5 permissions --destination="<Your shared folder here>" --user="DOMAIN\USER"Where
<Your shared folder here>should be replaced by a drive or path specification for your network share,DOMAINis your domain andUSERis the Dashboard Server application pool identity.For example:
squaredup5 permissions --destination="\\myhost\folder" --user="sales\svc-squaredup"If your Dashboard Server application pool identity is NetworkService you should run the following command for each of the Primary and Secondary server(s):
squaredup5 permissions --destination="\\myhost\folder" --user="DOMAIN\SquaredUpServer$"For example:
squaredup5 permissions --destination="\\myhost\folder" --user="DOMAIN\squp01$"Where
DOMAINis your domain andSquaredUpServer$is Primary server name where Dashboard Server is installed, with a $ on the end.Repeat the above command for the Secondary SquaredUp web server(s), changing the
SquaredUpServer$for each SquaredUp server name.For example:
squaredup5 permissions --destination="\\myhost\folder" --user="DOMAIN\squp02$"Configure the Data Warehouse permissions.
If the Dashboard Server application pool identity has been changed you will need to give the new account access to the Data Warehouse.
How to give the new app pool identity access to the Data Warehouse- On the SquaredUp server log in to Dashboard Server as a SCOM admin user, who is also a SQL sysadmin for the Data Warehouse database (see How to make a user a SQL sysadmin).
Browse to
http://localhost/SquaredUpv5/setup?stage=datawarehouseFor Dashboard Server v4 use:
http://localhost/SquaredUpv4/setup?stage=datawarehouse
This grants the application pool identity permission to access the Data Warehouse database.When using Windows authentication this step must be carried out on the SquaredUp server.
If the user you are logged in as does not have SQL sysadmin permissions then you may need to configure the Data Warehouse permissions manually (see Manually creating the Data Warehouse permissions).
Check that graphs are shown in Dashboard Server, for example on a server page. You may need to wait a few moments and refresh the page.
Configure the Open Access permissions.
If the application pool identity has been changed you will need to give the new account read-only permissions in SCOM to allow Open Access to work. If you completed the section above for the Data Warehouse, you may already have clicked next in the set up wizard to configure this.
How to give the new app pool identity Open Access permissions- On the SquaredUp server log in to Dashboard Server as a SCOM admin user, who is also a SQL sysadmin for the Data Warehouse database (see How to make a user a SQL sysadmin).
Browse to
http://localhost/SquaredUpv5/setup?stage=openaccessFor Dashboard Server v4 use:
http://localhost/SquaredUpv4/setup?stage=openaccessThis gives the application pool account read-only permissions in SCOM.
When using Windows authentication this step must be carried out on the SquaredUp server.
If the setup wizard is unable to configure Open Access, then you can manually configure Open Access (see Sharing Dashboards with anyone - Open Access).
- Check that you can make a page available as Open Access and view it, see Sharing Dashboards with anyone - Open Access for more information.
Update any SPNs or Kerberos constrained delegation settings.
If you have previously enabled Windows authentication with Kerberos constrained delegation then you will need to update your SPNs and Kerberos delegation settings to use the new account. Review the appropriate sections on Windows authentication (see User authentication methods for Dashboard Server SCOM Edition), checking for use of the application pool identity.
Comments
0 comments
Please sign in to leave a comment.