In this article, I want to go through a little issue I had when running Shell_Exec() in PHP, running in IIS, with Windows Authentication turned on.
I was seeing the user running the web page was the one executing the scripts (Shell_Exec()) instead of the service account I set on the application pool. I noticed because I was getting a lot of access denied errors back from the results of Shell_Exec(), in PHP.
I’m going to first show you how this test web app is setup, to replicate the scenario and then I’ll show you a simple config change that will allow you to run also your scripts as the App Pool account. If you’re only interested at how to allow to run scripts as a service account, whilst Windows Authentication is turned on, scroll down to “Solution”.
- I have created an Application Pool in IIS:
- In the Advanced Settings, I’ve set the pool to run as a domain user (ie: itdroplets\myserviceaccount).
- I then created a simple web application under the Default Web Site.
- As you can see, I set it to use the Application Pool created in Step 1.
Now that we have the basic setup, let’s see what happens, when running a “whoami” command. Let’s create a .php file and add this content to it:
$Result = Shell_Exec('whoami');
echo "Result: ".$Result;
When launching this page in the browser, we should see the service account we setup in step 2. All good so far:
Next, let’s disable Anonymous Authentication and enable Windows Authentication.
Here’s what you’re going to see now, when running the browser from a Windows Account’s named userA:
This is clearly not good when you want to run scripts with the service account.
In order to execute a command as the service account set in the Application Pool, when the Windows Authentication is enabled, do as follow:
- Click on the web application and open Configuration Editor.
- In Section (1), go to system.webServer/serverRuntime and change authenticatedUserOverride from UseAuthenticatedUser to UseWorkerProcessUser (2). Make sure you click on Apply.
When calling the test web page we created above, the output will be:
So now, all scripts running with Shell_Exec() will be ran as the service account stated in the Application Pool.