I've been stuck working on XP Pro for what seems like forever and only recently switched to Win 7. Running IIS 7.5 I find it really confusing as to which account needs access these days to allow a ASP.NET website to run/read/write etc.
I end up getting frustrated and just giving "everyone" access but I'm not really happy with that. What account should I be giving permissions too so I get this right once and for all.
Cheers
By default, a virtual user is created on the fly that's named after the application pool; it's marked as ApplicationPoolIdentity in the IIS manager. This user belongs to the group IIS_IUSRS.
IIS 7.5 has an application pool that is run using the credentials of a particular user. Unless you tell your site otherwise (through impersonation, see http://msdn.microsoft.com/en-us/library/xh507fc5(v=VS.100).aspx) it's this identity that will be used.
Note that this is a virtual user - see http://learn.iis.net/page.aspx/624/application-pool-identities/. For maximum security a new virtual user for each application pool is created on-the-fly each time the pool is started -- so, in particular, you won't see it listed in the "Select Users or Groups" dialog when setting permissions for folders.
To get around this, you can either:
Set the permission for the file to allow read access to the group IIS_USRS
or, more securely, change the user identity for each application pool and use that.
To change the user identity, use the IIS Manager. Right click My Computer, choose Manage, expand Services, then choose IIS Manager; you'll see a list of the application pools as currently configured.
Here's mine:
As you can see I'm just using the default identity for all my applications. Right click on a pool and choose Advanced Settings, you'll see this:
which lets you change the identity as appropriate.
There are also ways of viewing and changing the identity using WMI: see http://technet.microsoft.com/en-us/library/cc771170(WS.10).aspx.
The virtual user account isn't ApplicationPoolIdentity. The username will match the name of the app pool it's associated with.
There is no UI to edit these users but to limit access to the web apps running in DefaultAppPool, type "IIS AppPool\DefaultAppPool" in Explorer find user box with the local machine set as the source.
The local group IIS_USERS is created to automatically contain these virtual users, so if you don't want anything fruity like limiting access by app pools, assign the rights to this group that you would have assign to NETWORKSERVICE under XP/2003.
By default the pool runs with its own automatic account(IISAPPOOL\DefaultAppPool for ex) but you can change it in the pool configuration. Moreover, the account belongs(by default) to IIS_IUSRS group.
Related
This questions has been asked, A LOT, but I've yet to figure out a proper solution. I've got a Windows Server 2012 server with of course IIS 8. I'm setting up a very, very, simple website on it with an HTML file that has Hello World in it. On the folder for the website I have the following permissions set up:
SYSTEM (local account, Full Access)
Administrators (local group, Full Access)
FTP (domain account, Full Access)
NAME_OF_APPPOOL (virtual account, Full Access)
So, with all of these permissions I still get a 401.3 - Unauthorized error from IIS. What am I missing in all of this?
The only thing that's made the website accessible so far was a desperate attempt by putting Everyone with read-only permissions. I think we can all agree that's just dumb as far as security goes...
Update
This is what the Application Pool Identity is set to at the moment.
Check #5 to make sure the AppPool the site is using is actually set to use the Identity you are adding NTFS permissions for.
Specify an Identity for an Application Pool (IIS 7)
Open IIS Manager.
In the Connections pane, expand the server node and click Application Pools.
On the Application Pools page, select the application pool for which you want to specify an identity, and then click Advanced Settings in the Actions pane.
For the Identity property, click the ... button to open the Application Pool Identity dialog box.
If you want to use a built-in account, select the Built-in account option and select an account from the list.
So, since I was trying to access an HTML page (static content) it appears that IIS doesn't use the AppPool identity for static content... (double-U, T, and F?) So, to make it work you have to add IUSR as referenced here: IIS 8 401.3 with ACL and static content. Anyway, it works now, I'm just sooooo looking forward to the day when I put MVC on that site and it starts failing, again...
I am running IIS 7 on Windows Server 2008 R2 with PHP 5.4. One of my PHP scripts is trying to access a file on a protected network share using a UNC path. How can I change the IIS service account to an account that has permission to access the share? This is really easy to do on Apache HTTP server (you just change it), but it's not clear how to do with IIS. What can I do?
Update:
I was able to get things working using the "Connect As" option in the "Basic Settings" of my website and then specifying an account that has access to the network share. It appears that my problem is related to this question:
https://serverfault.com/questions/366234/iis-identities-application-pool-vs-connect-as-in-basic-settings
For IIS 7 running on Windows Server 2008 R2 ... In the IIS Manager, select the Application Pool under which your Web Site is running.
Click "Advanced Settings". There will be an entry for Identity (it is under the Process Model section). Click it, provide credentials for your account that has permission to access the share.
UPDATE
You should make sure that if you are using an Active Directory Domain Account, you provided that correctly under Identity for the running App Pool. For example, MYDOMAIN\myAccount.
After making this change, you will need to do the following:
Stop the Web Site.
Recycle your Application Pool.
Start the Web Site.
UPDATE II
From the comment discussion on this answer, #HydroPowerDeveloper was able to get the PHP script to be able to access the network share via UNC path using WebSite -> Basic Settings -> "Connect As" and setting the credentials there.
In the past, I have always used the approach of setting Identity via Application Pool and that has allowed my code to access Network shares via UNC path.
However, all of the sites/applications I have deployed on IIS are .NET based WCF or ASPX sites.
I would speculate (but am not 100% certain on this, would need research/testing to confirm) that the Identity specified in the Application Pool is used by executing .NET code, whereas the "Connect As" is used by the PHP script.
Generally the Application Pool is set using the least amount of privileges as possible.
http://msdn.microsoft.com/en-us/library/ff647402.aspx
The easiest route is to allow access to the current IIS account.
In Explorer, navigate to the shared directory.
Right Click -> Properties -> Security
If you don't see the expected IIS user in the list (Group or user names), edit and add the user as required.
I used "NETWORK SERVICE" -> Check names.
The detailed instructions are on that site.
In this way, the system is still restricted, we're ONLY allowing access to specific directories, we don't need to create any new users, we don't need to recycle the application pool and we don't need to perform any nifty impersonation code.
To resurrect an old question...
I've just been setting up a Win 2016 server that uses some Perl to access a UNC share. I set the Application Pool to an account that I verified had the correct permissions on that share. I then set up my site to 'Connect as...' (under 'Basic Settings') the same user. I still couldn't get access working.
Much head scratching later, I realised that my 'Virtual Directory', cgi-bin, was running under the original 'pass through' account. I then set up the virtual directory to 'Connect as...' the same account as the site and the application pool and, bingo, it all works fine.
So, remember to update any Virtual Directories as well as the site and App Pool...
I'm setting up our server so we can install an ASP.Net web application on it.
I right clicked Sites in the IIS7 Manager and selected Add Virtual Directory and I clicked the Test Settings button, this messages is displayed:
The server is configured to use pass-through authentication with a built-in
account to access the specified physical path. However, IIS Manager cannot
verify whether the built-in account has access. Make sure that the application
pool identity has Read access to the physical path. If this server is joined to
a domain, and the application pool identity is NetworkService or LocalSystem,
verify that <domain>\<computer_name>$ has Read access to the physical path.
Then test these settings again.
The message does not tell us how to do any of these things.
The server I'm setting up has Windows7 Home Premium installed on it. The computer is set up with all defaults set and has a computer name such as MyComputer-PC (not the real name). There is no domain set up.
Can you tell us how to do what is described in the message?
1) Go to IIS, click on the IIS entry that holds your virtual directory. On the right click on Basic Setting to see which appliatino pool it's using.
2) Go to IIS, go to application Pools. Right click on your application pool and check the advance setting -> Identity property to find out which user it's using.
3) Go to the folder that your IIS Entry maps to, make sure that user is added to this directory. If you want to give it write permission, give it write. Otherwise, make give it read & execute is fine.
The message is pretty clear in what needs to be done. Go to the Application Pool section of IIS and open the advanced settings of the default Application pool. Check what username is specified in the Identity property.
Go to the location where you are physically storing your virtual directory and go to the folder properties -> Security. Ensure that the user has the appropriate access.
Basically, you can ignore this message if you don't plan to write files to your site directory.
This message means that IIS can't check if it's system windows account has enough permissions on your site folder.
Setup
There is an IIS 6 application running in a .NET 2.0 App Pool on Server-A. IIS 7 Server-B needs to host that same code-base under a different URL. I created a virtual directory under Server-B's website to the network path of the application on Server-A. I've enabled this virtual directory on Server-B as an application running in its own .NET 2.0 App Pool in Classic Mode. Both app pools run as the same domain account that has access to that folder.
Issue
When accessing the site from Server-A it works fine. Accessing it from Server-B however generates the infamous "Required permissions cannot be acquired." error.
I have been trying to find a solution to this problem for two days. The two most common solutions have been to check the CLR Trust level on the Server-B box or to set the Load User Profile property on the App Pool to "True". Since I have full administrative rights I set the Trust level to Full and set the profile sitting to "True". Strongly naming all the assemblies the application and throwing them in the GAC is not where I want to go.
I'm sure I'm just missing some configuration somewhere. Any ideas? Thanks.
We have had a similar problem once.
In our case the user that was the identity of the app pool have never logged on to the server. Therefore, there was no local user profile, therefore there was a problem when the system tried to use the profile.
As a test try and set the identity of the app pool to the admin account you use to log in with.
Manually verify that user can access that share. Try logging into windows as that user and then accessing that share (or fake it with something like a "runas /User:{Domain\UserName} net use {\server\share}").
Also try loading ShareMonitor wherever the files actually live. It should tell you what user account is trying to access a given share. It might not be the account you think it is. I cannot recall if it was this program or not, but I have used something very similar in the past to figure out a really odd permission problem.
That should determine if it is a file access problem. If it isn't, then all I can say is to make sure you have ASP.NET enabled (on windows server it is a separate option).
Also check out the file permissions on your "Temporary ASP.NET Files" directory. I've had to explicitly add users write access to that before to get things working.
in my case my IIS App Pool had LoadUserProfile=false, so it was not loading the profile of the app pool's Identify (a domain account). This caused this unable to acquire permissions even though my Webroot files/folders (including /bin) had correct permissions. Setting LoadUserProfile=true fixed the issue for my setup.
I would set that application pools identity attribute (in advanced settings) as administrator. That way, you application will work on the server, just like it works on the local setup.
I understand what the two are used for, except I don't know what each does--i.e. what one is for vs. what the other is for. (I usually set them to the same account anyway.)
If you're not sure what accounts I'm talking about, in the IIS manager thingy:
Right-click on the app pool in question, go to Properties, and click the Identity tab to see the App Pool Identity.
Right-click a Web site, go to Properties -> Directory Security, and click Edit under Anonymous Access and authentication control to view the Account for anonymous access.
That is the account under which the worker process will run when anonymous access and impersonation both are enabled. If you have impersonation disabled it will run under the default app pool account.
Check this for more info.