IIS Web.Config Password Reset

The web.config file is an XML-based configuration file used by web applications running on the ASP.NET framework hosted in Microsoft Internet Information Services (IIS). It defines key application settings, such as authentication, security configurations, and connection strings, that store the credentials required for web applications to access backend resources like databases and enterprise systems.

In many environments, organizations configure dedicated Windows domain accounts within the web.config file to provide continuous, authenticated access to these backend data sources. However, when the password of a domain account referenced in the web.config file is rotated, the stored credentials become invalid. As a result, the web application fails to authenticate, leading to connection errors, service disruptions, and potential application downtime.

PAM360 offers a reliable mechanism to ensure uninterrupted application availability during domain account password changes. Whenever a domain account password is reset, PAM360 automatically updates all web.config files that use that account with the new password, ensuring that dependent web applications continue to operate without interruption and eliminating the need to manually update configuration files across multiple servers.

This help document covers the following topics in detail:

1. Prerequisites
2. Workflow
3. Configuring IIS Web.Config Password Reset
4. Viewing IIS AppPool Account Status

1. Prerequisites

Ensure the following prerequisites are met on the target Windows servers where the web applications are running:

1. Microsoft .NET Framework 4.5.2 or above
2. Microsoft Visual C++ 2015 Redistributable
3. REMCOM.exe - To remotely execute commands on the target server.

These components are required for PAM360 to establish secure connections with the target servers and successfully update the IIS web.config files when the associated domain account passwords are reset.

2. Workflow

When a password reset operation is initiated for a domain account used in the IIS web.config files, PAM360 identifies all web applications that reference this account in their web.config files across the relevant member servers, establishes secure connections with these servers, and updates the stored credentials in the configuration file with the new password.

To ensure this process runs seamlessly, you should add the member servers where the web applications are hosted to a resource group and associate the resource group with the domain account. This allows PAM360 to automatically update the stored credentials in the web.config files whenever the domain account password is reset.

Before you proceed with associating the resource groups containing the member servers where the web applications are running with the domain account, ensure that the following configurations are already in place:

1. The domain controller is added as a Windows Domain resource in PAM360. If not, add the domain controller as a resource by following the steps provided in this link.
2. Add the domain admin account credentials used by the web applications configured in the web.config files to the Windows Domain resource. Explore this link for detailed steps to add accounts to a resource.
3. All the member servers where the web applications are running are added as resources in PAM360.
4. Remote login credential is configured for the Windows Domain resource. Explore this link for detailed steps to configure remote password reset for a Windows Domain resource.
5. All the member servers are added to a static resource group. Explore this link to add the resources to a static group.

3. Configuring IIS Web.Config Password Reset

Follow these steps to associate the resource groups containing the member servers where the IIS web applications are running with the domain account to automatically update the stored credentials in the web.config files when the domain account password is reset:

1. Navigate to the Resources tab and click on the Windows Domain resource.
2. In the Account Details window that appears, click the Account Actions icon beside the domain account under whose identity the web applications are running, and select Edit Account from the displayed options.
3. In the Edit Account window that appears, under Associate resource group for this service account, click on the resource groups containing the member servers where the web applications are running, and click the right arrow button.
4. Enable the checkbox under the Reset column beside IIS web.config to automatically update the passwords on the web.config files when the domain account password is reset.
   
5. Click Save to save the configured changes.

4. Viewing Password Reset Status

For any Windows Domain account, you can view a list of all web applications that reference its credentials in their web.config files, along with the status of password updates performed during domain account password resets.

1. Navigate to the Resources tab and click on the Windows Domain resource.
2. In the Account Details window that appears, tick the checkbox beside the domain account associated with the web applications that reference its credentials in their web.config files, and click the IIS web.config button in the top pane.
3. In the window that appears, you will see the selected resource and account names. Switch to the Password Reset Status tab, where you will see a list of web applications running with the selected domain account credentials, with relevant information such as its name, the resource on which it is running, the web.config path, its status, and timestamp.