Starting LLAWP process under different user identities.

book

Article ID: 40179

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Introduction: 

In some cases the LLAWP process needs to be started as different users. This article discusses if the LLAWP process can be started as below users and how:

 

- "ApplicationPoolIdentity" (Default) 

- Network Service 

- LocalSystem 

- LocalService 

- Custom Account 

 

Question: 

Can the LLAWP process be started as Network Service instead of DefaultAdminPool ?

 

Environment:  

Policy server Version: 12.52 sp1 cr4

Policy server OS: Windows 2008 r2

Webagent version: 12.52 sp1 cr4

Webagent OS: Windows 2008 r2

 

Answer: 

The LLAWP process is a child process of the w3wp process (IIS). The identity used to start the w3wp process is used to start the LLAWP process. The Identity which starts the w3wp process is dictated by the Application Pool assigned to the Web Site in IIS.

 

 The LLAWP process can be run as the following users:

 

 -"ApplicationPoolIdentity" (Default) 

 -Network Service 

 -LocalSystem 

 -LocalService 

 -Custom Account 

Below steps need to be followed:

 

1)Change the Identity of the AppPool in IIS to the user you want the LLAWP to be run as.

2)Grant that user Read & Execute, Read, Write permissions on the following directories:

<C:\Program Files\CA\webagent\win64\bin\IIS> 

<C:\Program Files\CA\webagent\win64\config> 

<C:\Program Files\CA\webagent\win64\log> 

<C:\Program Files\CA\webagent\win32\bin\IIS> 

<C:\Program Files\CA\webagent\win32\config> 

<C:\Program Files\CA\webagent\win32\log> 

Environment

Release:
Component: SMIIS