How to check and modify the application pool identity

The SquaredUp web application runs using an ASP.NET application pool process. This process can be configured to run as a specific user, which is called the application pool identity.

When connecting to SCOM, SquaredUp normally uses the end user's identity instead of the application pool identity, but the application pool identity is used for the following important tasks:

• Accessing local files (e.g. log file, configuration files) on the web server
• Connecting to the SCOM Data Warehouse
• Connecting to SCOM to render Open Access dashboards
• Connecting to other SQL and WebAPI data sources
• Performing Kerberos authentication and delegation when Windows authentication is enabled

By default, the application pool is configured to use the NetworkService identity, which appears as the Active Directory computer account when accessing network resources.

You may want to change the application pool identity to an Active Directory user account created specifically for SquaredUp, for example when using Kerberos delegation. This is called a domain service account.

If you change the application pool identity after installation, you must follow the instructions below.

You can specify a different application pool identity for a new installation using the modify option on the Ready to Deploy page of a new SquaredUp installation. This sets up the correct file permissions automatically.

Viewing the application pool identity

1. Confirm the name of the SquaredUp application pool

1. In IIS expand Default Web Site and right-click on the SquaredUp website.
2. Go to Manage Application > Advanced Settings.
3. Check that the Application Pool is SquaredUpv4.

2. View the application pool identity

You can check the application pool identity by using IIS:

1. In IIS, click on Application Pools.
2. Right-click on SquaredUpv4 and select Advanced Settings.
3. Under Process Model, you will see Identity. By default this is set to NetworkService, but if you wish to change the application pool identity you can change it here.

The SquaredUp application pool identity you see here is often referred to as the SquaredUpAccount in SquaredUp articles.

Modifying the application pool identity

1. Enter the account credentials

Follow the steps above to check and modify the account used by the application pool.

2. Configure file permissions on the SquaredUp server

The account you are logging into SquaredUp with has no effect on disk read/write permissions. What is important is the identity (user account) of the IIS application pool used by SquaredUp.

1. Open a command prompt as an administrator (from Start > Run type command prompt, right-click on the Command Prompt icon and click Run as administrator).

2. Type:

   cd C:\inetpub\wwwroot\SquaredUpv4

3. Type:

   squaredup4 permissions --user="DOMAIN\USER"

   Where DOMAIN is your domain and USER is the SquaredUp application pool identity.

   For example, if the application pool identity has been changed to a user called svc-squaredup in the domain sales you would type:

   squaredup4 permissions --user="sales\svc-squaredup"

   If your SquaredUp application pool identity is NetworkService and you need to re-apply the correct permissions for NetworkService then type:

   squaredup4 permissions --user="networkservice"

4. If you have configured high availability, then you will need to give the application pool the correct permissions to your HA share, for example:

   squaredup4 permissions --destination="<Your shared folder here>" --user="DOMAIN\USER"

   Where <Your shared folder here> should be replaced by a drive or path specification for your network share, DOMAIN is your domain and USER is the SquaredUp application pool identity.

   For example:

   squaredup4 permissions --destination="\\myhost\folder" --user="sales\svc-squaredup"

   If your SquaredUp application pool identity is NetworkService you should run the following command for each of the Primary and Secondary server(s):

   squaredup4 permissions --destination="\\myhost\folder" --user="DOMAIN\SquaredUpServer$"

   For example:

   squaredup4 permissions --destination="\\myhost\folder" --user="DOMAIN\squp01$"

   Where DOMAIN is your domain and SquaredUpServer$ is Primary server name where SquaredUp is installed, with a $ on the end.

   Repeat the above command for the Secondary SquaredUp web server(s), changing the SquaredUpServer$ for each SquaredUp server name.

   For example:

   squaredup4 permissions --destination="\\myhost\folder" --user="DOMAIN\squp02$"

3. Configure the Data Warehouse permissions

If the SquaredUp application pool identity has been changed you will need to give the new account access to the Data Warehouse.

1. On the SquaredUp server log in to SquaredUp as a SCOM admin user, who is also a SQL sysadmin for the Data Warehouse database.

2. Browse to http://localhost/SquaredUpv4/setup?stage=datawarehouse

   This grants the application pool identity permission to access the Data Warehouse database.

   When using Windows authentication this step must be carried out on the SquaredUp server.

   If the user you are logged in as does not have SQL sysadmin permissions then you may need to Configure the Data Warehouse permissions manually

3. Check that graphs are shown in SquaredUp, for example on a server page. You may need to wait a few moments and refresh the page.

4. Configure the Open Access permissions

If the application pool identity has been changed you will need to give the new account read-only permissions in SCOM to allow Open Access to work. If you completed the section above for the Data Warehouse, you may already have clicked next in the set up wizard to configure this.

1. On the SquaredUp server log in to SquaredUp as a SCOM admin user, who is also a SQL sysadmin for the Data Warehouse database.

2. Browse to http://localhost/SquaredUpv4/setup?stage=openaccess

   This gives the application pool account read-only permissions in SCOM.

   When using Windows authentication this step must be carried out on the SquaredUp server.

   If the setup wizard is unable to configure Open Access, then you can manually config Open Access

3. Check that you can make a page available as Open Access and view it, see How to publish dashboards with Open Access for more information.

5. Configure any other required SQL or Web API data sources

If you are using SQL Tiles or WebAPI Tiles on your dashboards, and these connections require Windows Authentication, remember to update the SQL or WebAPI data sources to provide the new application pool identity with the required permissions.

How to configure access to a database for use with the SQL tile

6. Update any SPNs or Kerberos constrained delegation settings

If you have previously enabled Windows authentication with Kerberos constrained delegation then you will need to update your SPNs and Kerberos delegation settings to use the new account. Review the appropriate articles on Configuring Windows authentication, checking for use of the application pool identity.