Symptoms
A customer complains that configuring Internet Server Application Programming Interface (ISAPI) filter identification with local system privileges is not required on the NetScaler appliance. This might be because of any of the following reasons:
- It might be against the company policies
- It might be considered as a threat
- It might make the system vulnerable with local system privileges
Requirements
You must have a working setup on which ISAPI filter is installed. Additionally, the setup must be working with Application pool defined as Local System.
Resolution
To configure ISAPI filter for the configured user privileges, complete the following procedure on the computer that has the setup with ISAPI filter installed:
1. Grant permission to the IIS_WPG group on the HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application in the registry of the computer:
The IIS_WPG is a local system group. You can grant the Set Value, Create Subkey, Read, Query, Notify, Enumerate, or full control permission to this group on the registry. At the application level, you must grant full control to the IIS_WPG group. This is because the routine cleanup process might clean the NsClientIpFilter key if the Web server does not receive any traffic. After the Web server starts receiving the traffic, the ISAPI filter re-creates the key. However, if you have granted permission only at the key level, the filter fails to create the key because the permission is lost during the cleanup process. The registry displays the Access Denied message when loading the key. If you run the capture command on the registry and client IP insertion, the command fails from time when registry key failed to load.
2. Make a domain user, preferably an IIS administrator, a member of the IIS_WPG group on the local computer.
3. Set the Application Pool security account to the user added to the IIS_WPG group.
4. Restart the Application Pool and the Web site.
This enables Client IP insertion to work with the configured user as required.