IIS, PHP and Windows Authentication Run as a service account

IIS, PHP and Windows Authentication Run as a service account

In this article, I want to go through a little issue I had when running Shell_Exec() in PHP, running in IIS, with Windows Authentication turned on.

I was seeing the user running the web page was the one executing the scripts (Shell_Exec()) instead of the service account I set on the application pool. I noticed because I was getting a lot of access denied errors back from the results of Shell_Exec(), in PHP.

I’m going to first show you how this test web app is setup, to replicate the scenario and then I’ll show you a simple config change that will allow you to run also your scripts as the App Pool account. If you’re only interested at how to allow to run scripts as a service account, whilst Windows Authentication is turned on, scroll down to “Solution”.

  1. I have created an Application Pool in IIS:
    • In the Advanced Settings, I’ve set the pool to run as a domain user (ie: itdroplets\myserviceaccount).
  2. I then created a simple web application under the Default Web Site.
    • As you can see, I set it to use the Application Pool created in Step 1.

Now that we have the basic setup, let’s see what happens, when running a “whoami” command. Let’s create a .php file and add this content to it:

<?PHP
  $Result = Shell_Exec('whoami');
  echo "Result: ".$Result;
?>

When launching this page in the browser, we should see the service account we setup in step 2. All good so far:

Result: itdroplets\myserviceaccount

Next, let’s  disable Anonymous Authentication and enable Windows Authentication.

Here’s what you’re going to see now, when running the browser from a Windows Account’s named userA:

Result: itdroplets\userA

This is clearly not good when you want to run scripts with the service account.

Solution

In order to execute a command as the service account set in the Application Pool, when the Windows Authentication is enabled, do as follow:

  1. Click on the web application and open Configuration Editor.
  2. In Section (1), go to system.webServer/serverRuntime and change authenticatedUserOverride from UseAuthenticatedUser to UseWorkerProcessUser (2). Make sure you click on Apply.

When calling the test web page we created above, the output will be:

Result: itdroplets\myserviceaccount

So now, all scripts running with Shell_Exec() will be ran as the service account stated in the Application Pool.

IT Droplets

IT Droplets