IIS 7 Delegate Remote Application Pool Recycling for Non Administrator
A question raised somewhat frequently from customers asks if there is a way to allow users to remotely recycle an application pool but without giving this user administration privileges on the IIS machine. Unfortunately, an application pool recycle does need to be run as an administrator, however by using msdeploy we can set the recycleApp provider to be delegated and run under elevated admin privileges. Then by using either a local standard user account or an IIS Manager account, we can call the recycleApp provider from a remote machine and with the elevated recycleApp provider, remotely recycle the app pools for which the user is granted permissions in IIS. This can be achieved with the following steps.
1) Install or verify IIS management service role is active.
2) Install current version of Web Deploy on server and remote machine which can be found at https://www.iis.net/download/WebDeploy
3) Within IIS from the server node, select management service. Ensure ‘enable remote connections’ is selected and start the Management Service (WMSVC) if it is currently stopped.
4) Again in the server node, select Management Service Delegation and then select the recycleApp provider. I have setup an administrator account on the IIS machine called Recycler which will handle the elevated permissions required to recycle an application pool.
5) Once again at the server node, select ‘IIS Manager Users’ and add Users as required. In this example, I have added IISUser1. Now at the site level which you wish to allow being remotely recycled, select ‘IIS Manager Permissions’ and ‘allow user’ from the actions pane.
6) Lastly, we can now run the msdeploy command from the remote machine to test.
msdeploy.exe -verb:sync -source:recycleApp -dest:recycleApp="Default Web Site",wmsvc=remote-computer,userName=IISManagerUserName,Password=IISManagerUserPassword,recycleMode="RecyleAppPool" –allowUntrusted
Specific to our example we would run the following:
Note: The –allowUntrusted flag should be used if there is not a valid certificate on the remote machine. This will bypass any certificate errors.
More information on the Web Deploy recycleApp provider can be found here:
As an aside, in some situations it has been noted that with everything configured correctly you may get the following error when running the command.
I had a customer experience this error and through testing was able to reproduce this under the following scenarios. If msdeploy package is installed without the IIS Management Service Role being installed, or, if Management Service Role is removed and reinstalled with msdeploy active on the server, the required handle is not found. To resolve this, msdeploy was reinstalled and the issue was resolved.
Matthew from APGC DSI Team