Discover the use of application pools in isolating ASP.NET Web applications, thereby increasing the reliability of your ASP.NET Web applications. Explore the steps for creating, configuring, and using application pools.
In this part, we will take a look at one of the new features in IIS 6.0, named Application Pool, and demonstrate the use of application pools in isolating ASP.NET Web applications, thereby increasing the reliability of your ASP.NET Web applications. Then, we also will explore how these application pools affect ASP.NET applications in terms of the identity that is used to run your ASP.NET applications. Along the way, we will also look at the steps to be followed for creating application pools and assigning ASP.NET applications to run under a specific application pool. Finally, we will illustrate how to configure an application pool to run using the credentials of a specific user account.
What is an Application Pool?
An Application Pool can contain one or more applications and allows us to configure a level of isolation between different Web applications. For example, if you want to isolate all the Web applications running in the same computer, you can do this by creating a separate application pool for every Web application and placing them in their corresponding application pool. Because each application pool runs in its own worker process, errors in one application pool will not affect the applications running in other application pools. Deploying applications in application pools is a primary advantage of running IIS 6.0 in worker process isolation mode because you can customize the application pools to achieve the degree of application isolation that you need.
When you configure application pools for optimum availability, you also should consider how to configure application pools for application security. For example, you might need to create separate application pools for applications that require a high level of security, while allowing applications that require a lower level of security to share the same application pool. In the later part of this article, we will see how to configure identities at the application pool level.
Creating a new Application Pool
Creating a new application pool is a very simple process that is carried out by using the IIS manager. When you create a new application pool, you have the following two options:
- You can either create a new application pool from scratch or
- You can create a new application by importing the configuration settings from an external XML file
To create a new application pool from scratch, right-click on the Application Pools node from the tree view and select New->Application Pool from the context menu. You will be presented with the following screen, where you need to enter a name for the application pool.
When creating a new application, you also have the option of inheriting the settings from an existing application pool. For example, if you want your new application pool to inherit the settings from the DefaultAppPool, you can do that by selecting the option Use existing application pool as a template in the above screen. After you pick this option, the Application Pool name dropdown box will be enabled from where you can select an existing application pool.
After the pool is created, you can save the settings of the application pool to an external XML file any time by right-clicking the application pool and selecting the option All Tasks->Save Configuration to a File that is available from the context menu. This is an extremely useful feature that makes it possible for you to easily recreate the same application pool on the same server or on a different server with minimal effort.
Configuring Identity for ASP.NET Web Applications
In previous versions of IIS, worker processes ran as LocalSystem, a powerful account that has system administrator privileges on the server. Because LocalSystem has access to almost all resources on the operating system, this caused security implications. As mentioned previously, in IIS 6.0, you can set the identity of the worker process at the application pool level. The identity of an application pool is the account under which the application pool's worker process runs. By default, application pools operate under the NetworkService account, which has low-level user access rights. The NetworkService account has the following seven privileges:
- Adjust memory quotas for a process
- Generate security audits
- Log on as a service
- Replace process level token
- Impersonate a client after authentication
- Allow logon locally
- Access this computer from the network
By running the worker process using a very low-privileged account such as NetworkService, you can reduce the security vulnerability. However, by using IIS manager, you can configure the application pool to run as any of the following pre-defined accounts:
To configure identity for an application pool, right-click the application pool and select Properties from the context menu. In the Properties dialog box, select the Identity tab and you will see the following screen.
In the above dialog box, when you select the Predefined option, you can select any of the pre-defined accounts from the dropdown box. Instead of using a pre-defined account, if you want your application pool to run under a different account, select the Configurable option and then set the User name and Password in the textboxes. This approach is particularly useful especially when you are running multiple applications or sites on one Web server. For example, if an ISP hosts two companies—who may even be competitors—on one Web server, it has to guarantee that these two applications run in isolation from each other. More importantly, the ISP has to make sure that a malicious administrator for one application can't access the data of the other application. You can accomplish this level of isolation by using the configurable worker process identity.
Configuring Identity for an Application Pool
To demonstrate how to configure the identity for an application pool and how ASP.NET uses that identity information at the execution time, we will create a very simple ASP.NET application. We will start off by creating a new ASP.NET application named IdentityExample by using the New Project dialog box in Visual Studio.NET. After the project is created, if you open up IIS manager, you will find that the IdentityExample project is created in the default application pool named DefaultAppPool.
Now, let us add the following lines of code to the Page_Load event of the default Web form WebForm1.aspx.
sender, System.EventArgs e)
"ASP.NET application executes using the
identity :: <b>" +
As you can see from the above code, we simply display the name of the account that the ASP.NET Web application uses to process the service. If you execute thise code by navigating to the page from the browser, you will see the following output.
Click here for a larger image.
The above output just reinforces the fact that, by default, the Web application runs using the NetworkService account. Let us change the identity of the DefaultAppPool and then look at the output of our Web application. To do this, right-click the DefaultAppPool node from the IIS manager and select Properties from the context menu. In the properties dialog box, navigate to the Identity tab and select the Configurable option and specify a valid user name and password. Once entered, the screen should look like the following.
Now if you execute your application, you will see the following output.
Click here for a larger image.
As expected, the output reflects the change that we made using the IIS manager.
Associating an ASP.NET Web Application with an Application Pool
Create a new Visual Studio.NET project named IISIntegration using the New Project dialog box as shown in the following screen shot.
After creating the new project, if you open up IIS Manager, you will find that the IISIntegration project is created under an application pool named DefaultAppPool. As the name suggests, by default, all the newly created ASP.NET Web applications are created under this application pool. This is shown in the following screen shot.
Click here for a larger image.
To associate the IISIntegration ASP.NET Web application with the application pool named DemoAppPool, select the Web Sites node that is present under the Machine Name node in the IIS manager. Then, select Default Web Site-&IISIntegration from the treeview and right-click it to select Properties from the context menu.
In the Properties dialog box shown above, you can change the Application Pool using the Application Pool dropdown option in the Directory tab. Because we want our Web application to run under the DemoAppPool, select DemoAppPool from the list.
Recycling Worker Processes and Their Impact on Application State Information
If a Web application contains code that causes problems, and you cannot easily rewrite the code, it might be useful to limit the extent of the problems by periodically recycling the worker process that services the application. You can accomplish this by using what is known as Worker Process Recycling. Worker process recycling is the replacing of the instance of the application in memory. IIS 6.0 can automatically recycle worker processes by restarting the worker process, or worker processes, that are assigned to an application pool. This helps keep problematic applications running smoothly, and minimizes problems such as memory leaks. You can trigger the recycling of the worker processes assigned to an application pool by using worker process recycling methods that are based on elapsed time, the number of Hypertext Transfer Protocol (HTTP) requests, a set time of day, and two kinds of memory consumption, in addition to recycling on demand.
To configure all the above settings, go to the Properties window of the application pool in which your Web application is running using the IIS manager. Using the Recycling, Performance, and Health tabs in the Properties window, you can specify values for the above settings. Navigating to the Performance tab in the Properties dialog box of the DemoAppPool results in the following output.
When you set the recycling of worker processes using IIS manager, you also need to take the state management strategy of your ASP.NET application into consideration. Because every time the worker process is recycled, the ASP.NET state information will be lost rendering the application in an invalid state. One alternative to overcome this issue is to maintain state data external to the worker process, such as in a database. However, moving data to an external database to allow recycling can affect server performance in the following two ways:
- Performance is reduced because of the added data management that is needed to move the data between the application and the database.
- Recycling flushes any in-process data caches, so the caches need to be rebuilt.
If you have an application pool with applications that depend on state data, you must decide whether or not to recycle the worker processes that are assigned to that application pool. If you store state in the same process as that of IIS, and you don't want the state information to be lost, you must not recycle a worker process using the application pool configuration settings.
In this part, we looked at what application pools are and their role in increasing the reliability of your ASP.NET Web applications. We also understood that by allowing different ASP.NET applications to run under their own application pool, we can also set different identities, thereby controlling the security permissions for different ASP.NET Web applications. In Part-3 of this article, we will discuss the new XML-based Metabase storage and the security features of IIS 6.0.
About the Author
Thiru has six years of experience in architecting, designing, developing and implementing applications using Object Oriented Application development methodologies. He also possesses a thorough understanding of software life cycle (design, development and testing). He is an expert with ASP.NET, .NET Framework, Visual C#.NET, Visual Basic.NET, ADO.NET, XML Web Services and .NET Remoting and holds MCAD for .NET, MCSD and MCP certifications.
Thiru has authored numerous books and articles. He can be reached at firstname.lastname@example.org.
# # #