Allowing NT Authority\Network Service across domains

Posted on 2009-12-17
Medium Priority
Last Modified: 2012-05-08
Goal: Have IIS Server from domain A connect to FAS2020 (which stores websites) on domain B when sebsite is using ASP.NET 2.0.

Summary:  I have a virtual machine of Windows 2003 Enterprise x86 R2 IIS Server on domain A that will be serving web traffic.  This IIS Server is running an ASP.NET 2.0 application with NETWORK SERVICE in the Identity properties of the AppPool.  When IIS manager home directory is setup on the local C drive, the website works just fine, but if I remove NETWORK SERVICE from the permissions I get "Server Unavailable" and the application event log shows Event IDs: 1088 and 1334, which are mainly general errors for permissions.  

My issue comes in when I use a network share as my home directory path.  I get the same error as above "Server Unavailable" and event IDs: 1088 and 1334.  So this leads me to believe that NETWORK SERVICE does not have the proper permissions.  

The network share is on a network device (NetApp FAS2020) which is on another domain (domain B).  Domain B has a one way trust established with domain A, but domain A does not have a trust with domain B.  So the FAS2020 can get the permission from domain A, except it cannot get the NETWORK SERVICE permission.

Does a trust need to be established in both directions for ASP.NET and NETWORK SERVICE to work properly?

Reference: http://msdn.microsoft.com/en-us/library/ms998320.aspx
"The account does have network credentials, which means you can use it to access network resources and remote databases by using Windows authentication. The network resources must be in the same domain as your Web server or in a trusted domain."
Question by:MUSLMan
  • 5
  • 3
LVL 13

Accepted Solution

Springy555 earned 2000 total points
ID: 26080815
The one way trust *should* work.

When the local NETWORK SERVICE account tries to access resources on the domain, it does so using its computer account (ServerName$).

What you need to do on the network share on domain b, is give permissions to the computer account for your IIS server on domain a.

So if your IIS server is called IISServer:

On domain B, add share and Security permissions to DomainA\IISServer$

As this is a computer account, when your adding this account you need to select 'Object Types' and tick 'computers', otherwise it will try and resolve IISServer$ as a user or group.

Author Comment

ID: 26081440
This would probably work if the devices on both domains were Windows based.

I have already set the device on domain b with permissions to the dmz\IIS server.  See attached file.  Remember the device on domain b is not a Windows based machine.  It is using CIFS as folder shares.
LVL 13

Expert Comment

ID: 26081598
Have you got a windows server on domain b?  If so, see if you can access it from IIS server on domain a using a normal domain a user account.  This will at least tell you the one way trust is working.

If it does work, then the issue will be with the NetApp device.  Perhaps it is not authenticating computer accounts correctly.
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  


Author Comment

ID: 26081704

Thank you for help.  From domain A, I can access the windows domain controller on domain B (\\DC\C$), but it does prompt for username and password from the domain B.  So when I use domain A\domain admin it does not work, but when I use domain B\domain admin i have no problems accessing \\DC\C$ on domain B.  Remember the trust is one way.


Author Comment

ID: 26081790
Although I do have permissions setup to access the folder shares on the NetApp.  I wouldn't disagree that I have a NetApp issue and I have contacted them yesterday.  I did not get very far with them, but I will have to go further up the line of support.
LVL 13

Assisted Solution

Springy555 earned 2000 total points
ID: 26081793
Ok, so without changing your one way trusts, why not try this:

Change the Application Pool identity to run as a domain b user account.  You will need to add this account to the IIS_WPG local group, as well as give it log on as a service rights on your IIS server.

Then give that service account permissions on the netapp share.

Otherwise if you want to keep your app pool running as the IIS computer account, you will need to adjust your domain trusts so that you can access that share without being prompted for credentials.


Author Comment

ID: 26081997

Thank you for your help!  It works!  This has been a few days of pain.

Thank you again!

Author Closing Comment

ID: 31667661
Great Job!  Thank you for your help.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know what services you can and cannot, should and should not combine on your server.
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question