Allowing NT Authority\Network Service across domains

Posted on 2009-12-17
Last Modified: 2012-05-08
Goal: Have IIS Server from domain A connect to FAS2020 (which stores websites) on domain B when sebsite is using ASP.NET 2.0.

Summary:  I have a virtual machine of Windows 2003 Enterprise x86 R2 IIS Server on domain A that will be serving web traffic.  This IIS Server is running an ASP.NET 2.0 application with NETWORK SERVICE in the Identity properties of the AppPool.  When IIS manager home directory is setup on the local C drive, the website works just fine, but if I remove NETWORK SERVICE from the permissions I get "Server Unavailable" and the application event log shows Event IDs: 1088 and 1334, which are mainly general errors for permissions.  

My issue comes in when I use a network share as my home directory path.  I get the same error as above "Server Unavailable" and event IDs: 1088 and 1334.  So this leads me to believe that NETWORK SERVICE does not have the proper permissions.  

The network share is on a network device (NetApp FAS2020) which is on another domain (domain B).  Domain B has a one way trust established with domain A, but domain A does not have a trust with domain B.  So the FAS2020 can get the permission from domain A, except it cannot get the NETWORK SERVICE permission.

Does a trust need to be established in both directions for ASP.NET and NETWORK SERVICE to work properly?

"The account does have network credentials, which means you can use it to access network resources and remote databases by using Windows authentication. The network resources must be in the same domain as your Web server or in a trusted domain."
Question by:MUSLMan
    LVL 13

    Accepted Solution

    The one way trust *should* work.

    When the local NETWORK SERVICE account tries to access resources on the domain, it does so using its computer account (ServerName$).

    What you need to do on the network share on domain b, is give permissions to the computer account for your IIS server on domain a.

    So if your IIS server is called IISServer:

    On domain B, add share and Security permissions to DomainA\IISServer$

    As this is a computer account, when your adding this account you need to select 'Object Types' and tick 'computers', otherwise it will try and resolve IISServer$ as a user or group.

    Author Comment

    This would probably work if the devices on both domains were Windows based.

    I have already set the device on domain b with permissions to the dmz\IIS server.  See attached file.  Remember the device on domain b is not a Windows based machine.  It is using CIFS as folder shares.
    LVL 13

    Expert Comment

    Have you got a windows server on domain b?  If so, see if you can access it from IIS server on domain a using a normal domain a user account.  This will at least tell you the one way trust is working.

    If it does work, then the issue will be with the NetApp device.  Perhaps it is not authenticating computer accounts correctly.

    Author Comment


    Thank you for help.  From domain A, I can access the windows domain controller on domain B (\\DC\C$), but it does prompt for username and password from the domain B.  So when I use domain A\domain admin it does not work, but when I use domain B\domain admin i have no problems accessing \\DC\C$ on domain B.  Remember the trust is one way.


    Author Comment

    Although I do have permissions setup to access the folder shares on the NetApp.  I wouldn't disagree that I have a NetApp issue and I have contacted them yesterday.  I did not get very far with them, but I will have to go further up the line of support.
    LVL 13

    Assisted Solution

    Ok, so without changing your one way trusts, why not try this:

    Change the Application Pool identity to run as a domain b user account.  You will need to add this account to the IIS_WPG local group, as well as give it log on as a service rights on your IIS server.

    Then give that service account permissions on the netapp share.

    Otherwise if you want to keep your app pool running as the IIS computer account, you will need to adjust your domain trusts so that you can access that share without being prompted for credentials.


    Author Comment


    Thank you for your help!  It works!  This has been a few days of pain.

    Thank you again!

    Author Closing Comment

    Great Job!  Thank you for your help.

    Featured Post

    Shouldn't all users have the same email signature?

    You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

    Join & Write a Comment

    Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
    When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now