How To Run IIS 7 App Pool As Built-In Admin? - iis-7

I am trying to give access to an App Pool to create some files in the website directory (inside inetpub) and I it keeps denying me access because it says the user doesn't have admin rights. I ran the AppPool as LocalSystem and it still failed. Doesn't LocalSystem have full control over folders? I ran it as AppPoolIdentity and gave the proper rights to those folders, and it doesn't work. The only way I can get it to work is by giving it a custom admin account... but that saves the username/pass in the web.config and that password expires every 90 days. We cannot have websites fail every 90 days.
Is there an easy way where I can run the AppPool as built-in admin without giving some custom account?

Only 18 months late. Nevertheless, I think the problem is that your website runs with anonymous connections right? Anonymous users connecting to your website will not run as admin. This is configurable.
The following is applicable to IIS7 (I think it'll also be applicable to IIS6, though I have no access to that version; almost certainly not applicable to IIS5 and earlier).
So anyway, to change this setting in the IIS Manager, go to:
Sites > [Your Website]
In "Features" view under the IIS subsection
Authentication [Open Feature] > Anonymous Authentication [right-mouse "Edit..."] > Select: Application Pool Identity [OK]
This allows anonymous connections to work under an admin privileges on the OS level, giving you access to files and a whole lot more besides.
Either that, or I've not quite understood your problem.

Related

What are the IIS 8 required NTFS Permissions?

This questions has been asked, A LOT, but I've yet to figure out a proper solution. I've got a Windows Server 2012 server with of course IIS 8. I'm setting up a very, very, simple website on it with an HTML file that has Hello World in it. On the folder for the website I have the following permissions set up:
SYSTEM (local account, Full Access)
Administrators (local group, Full Access)
FTP (domain account, Full Access)
NAME_OF_APPPOOL (virtual account, Full Access)
So, with all of these permissions I still get a 401.3 - Unauthorized error from IIS. What am I missing in all of this?
The only thing that's made the website accessible so far was a desperate attempt by putting Everyone with read-only permissions. I think we can all agree that's just dumb as far as security goes...
Update
This is what the Application Pool Identity is set to at the moment.
Check #5 to make sure the AppPool the site is using is actually set to use the Identity you are adding NTFS permissions for.
Specify an Identity for an Application Pool (IIS 7)
Open IIS Manager.
In the Connections pane, expand the server node and click Application Pools.
On the Application Pools page, select the application pool for which you want to specify an identity, and then click Advanced Settings in the Actions pane.
For the Identity property, click the ... button to open the Application Pool Identity dialog box.
If you want to use a built-in account, select the Built-in account option and select an account from the list.
So, since I was trying to access an HTML page (static content) it appears that IIS doesn't use the AppPool identity for static content... (double-U, T, and F?) So, to make it work you have to add IUSR as referenced here: IIS 8 401.3 with ACL and static content. Anyway, it works now, I'm just sooooo looking forward to the day when I put MVC on that site and it starts failing, again...

IIS7 IUSR account permissions not working with forms authentication and file upload

I am trying to deploy an asp.net 4 app to a new microsoft server 2008 R2
I have set up the application as I have done dozens of times before and set the folder permissions appropriately.
I have tried setting the application pool name directly to have write permissions
I have tried setting IUSR, IIS_IUSRS, NETWORK SERVICE and Users.
I have confirmed that windows authentication is disabled and anonymous is enabled as well as forms authentication is enabled. Logging in works fine i can access all pages normally except if i try to write to the folder. Then a password is required box pops up which looks like windows authentication (even though its disabled)
Every post here states and in my past experience says if I set the folder permissions for the defaultidentity application pool it should work, but for some reason this server wont let me do it!
Any help would be most appreciated.
Welp this turns out to be a really weird one. For some reason when SQL reporting services is installed it reserves the folder name "Reports" in any IIS Web application folder regardless of whether your actually using Reporting services. Its not created by default or anything, but if you happen to create folder titled "Reports" dont expect to access anything from it. After many hours of frustration it turns out it's a random reservation which doesn't throw any error just somehow overrides your authentication protocol to use windows authentication for their reserved folder.
Thanks Microsoft!

IIS7 Accessing Network Share

I am running IIS 7 on Windows Server 2008 R2 with PHP 5.4. One of my PHP scripts is trying to access a file on a protected network share using a UNC path. How can I change the IIS service account to an account that has permission to access the share? This is really easy to do on Apache HTTP server (you just change it), but it's not clear how to do with IIS. What can I do?
Update:
I was able to get things working using the "Connect As" option in the "Basic Settings" of my website and then specifying an account that has access to the network share. It appears that my problem is related to this question:
https://serverfault.com/questions/366234/iis-identities-application-pool-vs-connect-as-in-basic-settings
For IIS 7 running on Windows Server 2008 R2 ... In the IIS Manager, select the Application Pool under which your Web Site is running.
Click "Advanced Settings". There will be an entry for Identity (it is under the Process Model section). Click it, provide credentials for your account that has permission to access the share.
UPDATE
You should make sure that if you are using an Active Directory Domain Account, you provided that correctly under Identity for the running App Pool. For example, MYDOMAIN\myAccount.
After making this change, you will need to do the following:
Stop the Web Site.
Recycle your Application Pool.
Start the Web Site.
UPDATE II
From the comment discussion on this answer, #HydroPowerDeveloper was able to get the PHP script to be able to access the network share via UNC path using WebSite -> Basic Settings -> "Connect As" and setting the credentials there.
In the past, I have always used the approach of setting Identity via Application Pool and that has allowed my code to access Network shares via UNC path.
However, all of the sites/applications I have deployed on IIS are .NET based WCF or ASPX sites.
I would speculate (but am not 100% certain on this, would need research/testing to confirm) that the Identity specified in the Application Pool is used by executing .NET code, whereas the "Connect As" is used by the PHP script.
Generally the Application Pool is set using the least amount of privileges as possible.
http://msdn.microsoft.com/en-us/library/ff647402.aspx
The easiest route is to allow access to the current IIS account.
In Explorer, navigate to the shared directory.
Right Click -> Properties -> Security
If you don't see the expected IIS user in the list (Group or user names), edit and add the user as required.
I used "NETWORK SERVICE" -> Check names.
The detailed instructions are on that site.
In this way, the system is still restricted, we're ONLY allowing access to specific directories, we don't need to create any new users, we don't need to recycle the application pool and we don't need to perform any nifty impersonation code.
To resurrect an old question...
I've just been setting up a Win 2016 server that uses some Perl to access a UNC share. I set the Application Pool to an account that I verified had the correct permissions on that share. I then set up my site to 'Connect as...' (under 'Basic Settings') the same user. I still couldn't get access working.
Much head scratching later, I realised that my 'Virtual Directory', cgi-bin, was running under the original 'pass through' account. I then set up the virtual directory to 'Connect as...' the same account as the site and the application pool and, bingo, it all works fine.
So, remember to update any Virtual Directories as well as the site and App Pool...

IIS - Required permissions cannot be acquired. Enabled "Full Trust" and Load User Profile on App Pool is "True"

Setup
There is an IIS 6 application running in a .NET 2.0 App Pool on Server-A. IIS 7 Server-B needs to host that same code-base under a different URL. I created a virtual directory under Server-B's website to the network path of the application on Server-A. I've enabled this virtual directory on Server-B as an application running in its own .NET 2.0 App Pool in Classic Mode. Both app pools run as the same domain account that has access to that folder.
Issue
When accessing the site from Server-A it works fine. Accessing it from Server-B however generates the infamous "Required permissions cannot be acquired." error.
I have been trying to find a solution to this problem for two days. The two most common solutions have been to check the CLR Trust level on the Server-B box or to set the Load User Profile property on the App Pool to "True". Since I have full administrative rights I set the Trust level to Full and set the profile sitting to "True". Strongly naming all the assemblies the application and throwing them in the GAC is not where I want to go.
I'm sure I'm just missing some configuration somewhere. Any ideas? Thanks.
We have had a similar problem once.
In our case the user that was the identity of the app pool have never logged on to the server. Therefore, there was no local user profile, therefore there was a problem when the system tried to use the profile.
As a test try and set the identity of the app pool to the admin account you use to log in with.
Manually verify that user can access that share. Try logging into windows as that user and then accessing that share (or fake it with something like a "runas /User:{Domain\UserName} net use {\server\share}").
Also try loading ShareMonitor wherever the files actually live. It should tell you what user account is trying to access a given share. It might not be the account you think it is. I cannot recall if it was this program or not, but I have used something very similar in the past to figure out a really odd permission problem.
That should determine if it is a file access problem. If it isn't, then all I can say is to make sure you have ASP.NET enabled (on windows server it is a separate option).
Also check out the file permissions on your "Temporary ASP.NET Files" directory. I've had to explicitly add users write access to that before to get things working.
in my case my IIS App Pool had LoadUserProfile=false, so it was not loading the profile of the app pool's Identify (a domain account). This caused this unable to acquire permissions even though my Webroot files/folders (including /bin) had correct permissions. Setting LoadUserProfile=true fixed the issue for my setup.
I would set that application pools identity attribute (in advanced settings) as administrator. That way, you application will work on the server, just like it works on the local setup.

IIS7 Permission Denied - ASP File Write

Unfortunately I don't have a whole lot of information on this.
I have a customer who has moved their site from an ancient system to IIS7 on Windows 2008 Server. Info about the error is below:
Error:
E:\wwwroot\sp\xxx\online_data.xls
Microsoft VBScript runtime error '800a0046'
Permission denied
/xxx/oat/exceldata.asp, line 52
Code:
49 response.write(server.mappath("online_data.xls"))
50
51 set fso = createobject("scripting.filesystemobject")
52 Set act = fso.CreateTextFile(server.mappath("online_data.xls"), true)
The only suggestion so far is to:
grant the application pool
(DefaultAppPool / Classic AppPool)’s
impersonated identity read and write
permission to the physical folder
which the asp page reside
Will look at this when I get access, but other suggestions would be appreciated.
The provided answer is correct, but I needed a little more detail on how to accomplish it. To make it really easy, follow the steps below. I was setting up an asp page counter on a sandbox system in our intranet.
Open Computer Management.
Drill down to the IIS server
Management
In the Connections pane, click on
Application Pools
In the Application Pools pane,
right-click on DefaultAppPool and
choose Advanced Settings. Look in
the Process Model section.
By default, the Identity property is
set to ApplicationPoolIdentity.
This is a built-in account.
If it's set to the default, then you
can use the built-in user
machinename\IUSR for your
permissions settings. I had to
specify the machine name because
this is a virtualized server, YMMV.
If it's not set to the default, use
that username for your permissions
settings.
Cancel out of the dialog and return
to Windows Explorer, to the folder
where you need to add permission.
Right-click to get Permission
settings.
Set up machinename\IUSR or the
non-default username you determined
in steps 6/7 above. Grant
permissions as needed.
This helped:
http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis-7/
The suggestion is correct. If the path to the solution is not immediately obvious for whatever configuration reasons, try running procmon (filter on "online_data.xls") and see who's failing, why, and what user account they run under. Then check the ACLs.
I had a similar problem in Windows 7 and my solution was changing the Authentication. From IIS, select the site, go to Authentication, disable Anonymous Authentication and enable Windows Authentication.
Spent a bit of time with something similar. Even with the correct settings it wasn't working.
I then tried create the actual file first on the server. Turned out to be the trick that worked. Now my ASP page writes to the existing file no problem.
Must be something about creating a new doc from scratch that is another issue.

Resources