Feature request: Don't use identity impresonate in .config

ajj3085 · Post by **ajj3085** » Fri Feb 22, 2008 7:30 am

HI,

I was wondering if you could do this. My fortress install runs as a domain user. Currently, Fotress puts <identity impersonate="true" userName="user" password="password" /> in the web.config file to do this. I've never been crazy about this.

Is there any reason Fortress couldn't use <identity impersonate="false" /> and set the VaultAppPool to run as the specified user account, if the IIS version is 6 or greater? The result is the same, except you don't have a domain account password sitting in the web.config file.

Thanks
Andy

Post by **jeremy_sg** » Fri Feb 22, 2008 8:45 am

The only real reason I can give for this is that we were supporting impersonation before we ever started having the installer mess with app pools (indeed, before app pools even existed). In general, I feel like changing IIS settings is something of a last resort, since it seems that every new version of IIS changes the "right" thing to do pretty drastically.

ajj3085 · Post by **ajj3085** » Fri Feb 22, 2008 8:54 am

Hi,

Yes, I understand this, but since the install does create an AppPool, it seems like it should go all the way, especially since one of the advantages of having application pools is the ability to run each IIS app under its own credentials, and thus no need to store a password in the web.config file.

I don't think you should drop support for identity impersonate, especially since people may be running on IIS 5 or 5.1, just seems natural to configure things "properly" according to the installation environment. Just like you wouldn't hard code the path to a user's Documents folder.

Maybe ask the user during setup which option they'd prefer, if app pools are available?