IIS, PHP and Windows Authentication Run as a service account
In this article, I want to go through a little issue I had when running Shell_Exec() in PHP, running in IIS, with Windows Authentication turned on.
I was seeing the user running the web page was the one executing the scripts (Shell_Exec()) instead of the service account I set on the application pool. I noticed because I was getting a lot of access denied errors back from the results of Shell_Exec(), in PHP.
I’m going to first show you how this test web app is setup, to replicate the scenario and then I’ll show you a simple config change that will allow you to run also your scripts as the App Pool account. If you’re only interested at how to allow to run scripts as a service account, whilst Windows Authentication is turned on, scroll down to “Solution”.
- I have created an Application Pool in IIS:
- I then created a simple web application under the Default Web Site.
Now that we have the basic setup, let’s see what happens, when running a “whoami” command. Let’s create a .php file and add this content to it:
<?PHP $Result = Shell_Exec('whoami'); echo "Result: ".$Result; ?>
When launching this page in the browser, we should see the service account we setup in step 2. All good so far:
Result: itdroplets\myserviceaccount
Next, let’s disable Anonymous Authentication and enable Windows Authentication.
Here’s what you’re going to see now, when running the browser from a Windows Account’s named userA:
Result: itdroplets\userA
This is clearly not good when you want to run scripts with the service account.
Solution
In order to execute a command as the service account set in the Application Pool, when the Windows Authentication is enabled, do as follow:
- Click on the web application and open Configuration Editor.
- In Section (1), go to system.webServer/serverRuntime and change authenticatedUserOverride from UseAuthenticatedUser to UseWorkerProcessUser (2). Make sure you click on Apply.
When calling the test web page we created above, the output will be:
Result: itdroplets\myserviceaccount
So now, all scripts running with Shell_Exec() will be ran as the service account stated in the Application Pool.