How to check and modify the application pool identity
The Dashboard Server web application runs using an ASP.NET application pool process. This process can be configured to run as a specific user, which is called the application pool identity.
Dashboard Server uses the end user's identity when showing data from Azure Monitor, but the application pool identity is used for the following important tasks:
- Accessing local files (e.g. log file, configuration files) on the web server
- Connecting to other SQL and Web API data sources
- Running PowerShell scripts (unless configured otherwise)
By default, the application pool is configured to use the NetworkService identity, which appears as the computer account when accessing network resources.
If you have deployed Dashboard Server within an Active Directory domain, you may want to change the application pool identity to an Active Directory user account created specifically for Dashboard Server. This is called a domain service account.
If you change the application pool identity after installation, you must follow the instructions below.
You can specify a different application pool identity for a new installation using the modify option on the Ready to Deploy page of a new Dashboard Server installation. This sets up the correct file permissions automatically.
Viewing the application pool identity
Confirm the name of the Dashboard Server application pool.
In IIS expand Default Web Site and right-click on the Dashboard Server website.
Go to Manage Application > Advanced Settings.
Check the name of the Application Pool, which by default is
SquaredUpv5
or .SquaredUpv4
depending on your version of Dashboard Server
View the application pool identity.
In IIS, click on Application Pools.
Right-click on your Dashboard Server application pool, for example SquaredUpv5 and select Advanced Settings.
Under Process Model, you will see Identity. By default this is set to NetworkService, but if you wish to change the application pool identity you can change it here.
Modifying the application pool identity
Enter the credentials for the new app pool identity.
How to change the app pool identityIn IIS, click on Application Pools.
Right-click on your Dashboard Server application pool, for example SquaredUpv5 and select Advanced Settings.
Under Process Model, you will see Identity. By default this is set to NetworkService, but if you wish to change the application pool identity you can change it here.
Configure file permissions on the SquaredUp server.
The account you are logging into Dashboard Server with has no effect on disk read/write permissions. What is important is the identity (user account) of the IIS application pool used by Dashboard Server.
On Dashboard Server v5.1 and above it is not necessary to reconfigure the file permissions on the SquaredUp server after changing the application pool identity.
Continue to the next section below. How to configure file permissions on the SquaredUp server- Open a command prompt as an administrator (from Start > Run type
command prompt
, right-click on the Command Prompt icon and click Run as administrator). Access your Dashboard Server folder, for example:
Where to find the Dashboard Server folderName of the Dashboard Server folder
The name of the Dashboard Server folder is
SquaredUpv
followed by theproduct version number
.Location of the Dashboard Server folder
If you deployed Dashboard Server via the Azure Marketplace :The default location for the Dashboard Server folder is
F:\
.SquaredUpv[Version Number]
For example, for Dashboard Server Azure Edition v5 the default location isF:\SquaredUpv5
and for v4 .F:\SquaredUpv4
If you installed Dashboard Server using the installer:
The default location for the Dashboard Server folder is
C:\inetpub\wwwroot\SquaredUpv[Version Number]
, but a custom location may have been chosen during the installation.
For example, for Dashboard Server v5 the default folder location isC:\inetpub\wwwroot\SquaredUpv5
and for v4 C:\inetpub\wwwroot\SquaredUpv4
Type:
squaredup5 permissions --user="DOMAIN\USER"
For Dashboard Server v4 use:
squaredup4 permissions --user="DOMAIN\USER"
Where
DOMAIN
is your domain andUSER
is the Dashboard Server application pool identity.For example, if the application pool identity has been changed to a user called svc-squaredup in the domain sales you would type
squaredup5 permissions --user="sales\svc-squaredup"
If your Dashboard Server application pool identity is NetworkService and you need to re-apply the correct permissions for NetworkService then type:
squaredup5 permissions --user="networkservice"
- Open a command prompt as an administrator (from Start > Run type
For PowerShell Run As accounts: Add the app pool identity to the necessary policies.
If you don't use the default NetworkService as your application pool identity, you might see the following error message when using Run As accounts: A required privilege is not held by the client.
In this case you need to add the application pool identity to the following policies:
Adjust memory quotas for a process
Replace a process-level token (you need to reboot the server for this policy to take effect)
Configure any other Windows authentication data sources.
If you have tiles that use queries or scripts to access data sources that are using Windows authentication, you need to make sure that the new Dashboard Server app pool identity has the required permissions to run the queries or scripts. This can apply to SQL, Web API, or PowerShell tiles.
For SQL tiles:
To be able to query databases, such as the Operations Manager database, the Dashboard Server application pool identity needs to be given the db_datareader role in SQL Server Management Studio for the database you wish to query. See How to configure access to a database for use with the SQL tile
For Web API tiles:
If you are querying an API that is using Windows authentication, you have to give the new app pool identity permission to access the API. How this is done depends on how you manage the API.
For PowerShell tiles:
This only applies if you are running your scripts as Dashboard Server app pool, which is not recommended (see How to use the PowerShell tile). If you are using the Dashboard Server app pool and the service you are accessing with your script uses Windows authentication, you need to give the new app pool identity permissions for the external service. How this is done depends on how you manage the service you are accessing.