How do you setup an IIS Web App so it can access a network share without an AD?
A common setup for EPiServer CMS is a load balancing scenario. You have two or more front end web servers and a shared database server. You also need to store uploaded files somewhere. The most common setup for smaller installations is to have a network share on your database server.
For larger installation where you both want to increase SLA and capacity you probably will use Microsoft Cluster for you database so you have two servers. Microsoft Cluster can also be used for File Sharing.
I ran into some trouble with Windows Server 2012 R2 and IIS 8 and spent a few hours struggling so I thought it was worth sharing.
Setup two front end web server to access Network Share
I this scenario there are three Windows Server 2012 R2 without any AD in a DMZ network. Two of them serves as front end web servers with IIS and ASP.NET to host my EPiServer CMS site and one have SQL Server and a Network Share that both front end servers use for uploaded files.
This is what I did to create the user accounts and configure the application pool working around a probable defect in IIS 8.
1) Create an account with the same username and password on all three servers. Make sure that the password does not expire or must be changed.
2) Create a Network Share on the shared Database Server and give the new account read/write rights to the share. I also tested that I could connect from the front end servers using the new account to verify that no firewalls are in the way.
3) Included the user in the IIS_IUSRS group that indirectly gives it Logon as Batch Job rights.
4) Run the following command to grant rights to the user.
aspnet_regiis -ga your_app_pool_user
I’m not sure if this step is really required anymore but better safe than sorry. 🙂
5) Restart WAS and IIS to make sure the changes to the accounts group membership is noticed if you tried to use the account in IIS before you added it to the group!
C:> net stop was /y C:> net start w3svc
6) Create an Application Pool and set the Identity under Advanced Settings. If you use the IIS Manager it will verify the account name and password.
This is the part where I got stuck with error messages when trying to set the identity.
From IIS Manager I got the following error in a dialog: “There was an error while performing this operation. Details: Value does not fall within the expected range.”
Trying to set the App Pool identity from the command line instead gave me a similar error:
C:> appcmd set config /section:applicationPools /[name='test-pool'].processModel.identityType:SpecificUser /[name='test-pool'].processModel.userName:MyAccountName /[name='test-pool'].processModel.password:P@ssw0rd ERROR ( hresult:80070057, message:Failed to commit configuration changes. The parameter is incorrect. )
When I remove the last parameter, password, the command will succeed changing identity type and setting the username but I did never figure out why I could not set the password so I retorted to editing my applicationHost.config file directly. Unfortunately with the the password ending up in clear text.
<configuration> ... <system.applicationHost> <applicationPools> ... <add name="test-pool" managedRuntimeVersion="v4.0"> <processModel identityType="SpecificUser" userName="MyAccountName" password="P@ssw0rd" /> </add> ... </applicationPools> ... </system.applicationHost> ... </configuration>
7) Finally I set my Web Application to use the application pool. I changed the config file so EPiServer uses the Network Share for VPP-folders.
Sucess! It could access the Network Share without any issues.
Performance and using Network Shares
Be aware that there are some performance impacts when your web server has to go over the network to fetch files. Make sure that you have configured your web application to cache both static and dynamic files using both kernel mode caching and by setting a far future date when they expire to reduce the traffic. The operating system also has a memory cache that is used for both local and networked files so some extra memory not used by your web application will not hurt.
Warning! If you use EPiServer CMS 7 to 7.5 you should not put the add-on modules (containing EPiservers user interface) on the network share. They should be placed on each web server instead together with your application instead.