IIS7 Permissions Overview - ApplicationPoolIdentity - iis-7

We have recently upgraded to IIS7 as a core web server and I need an overview in terms of the permissions. Previously, when needing to write to the file system I would have give the AppPool user (Network Service) access to the directory or file.
In IIS7 I see, as default, the AppPool user is set to ApplicationPoolIdentity. So when I check the task-manager, I see that a user account called WebSite.example is running the IIS Process ('Website.example' being the name of the website in IIS)
However this user account doesn't exist if I try to use that to give permissions. So, how do I determine which user to give the permissions too?
See below for the problem in screen shot. Our website (www.silverchip.co.uk) runs on the username SilverChip.co.uk. However when I add permissions, this user doesn't exist!
See AppPool Image:

ApplicationPoolIdentity is actually the best practice to use in IIS7+. It is a dynamically created, unprivileged account. To add file system security for a particular application pool see IIS.net's "Application Pool Identities". The quick version:
If the application pool is named "DefaultAppPool" (just replace this text below if it is named differently)
Open Windows Explorer
Select a file or directory.
Right click the file and select "Properties"
Select the "Security" tab
Click the "Edit" and then "Add" button
Click the "Locations" button and make sure you select the local machine. (Not the Windows domain if the server belongs to one.)
Enter "IIS AppPool\DefaultAppPool" in the "Enter the object names to select:" text box. (Don't forget to change "DefaultAppPool" here to whatever you named your application pool.)
Click the "Check Names" button and click "OK".

Remember to use the server's local name, not the domain name, when resolving the name
IIS AppPool\DefaultAppPool
(just a reminder because this tripped me up for a bit):

Giving access to the IIS AppPool\YourAppPoolName user may be not enough with IIS default configurations.
In my case, I still had the error HTTP Error 401.3 - Unauthorized after adding the AppPool user and it was fixed only after adding permissions to the IUSR user.
This is necessary because, by default, Anonymous access is done using the IUSR. You can set another specific user, the Application Pool or continue using the IUSR, but don't forget to set the appropriate permissions.
Credits to this answer: HTTP Error 401.3 - Unauthorized

On Windows Server 2008(r2) you can't assign an application pool identity to a folder through Properties->Security. You can do it through an admin command prompt using the following though:
icacls "c:\yourdirectory" /t /grant "IIS AppPool\DefaultAppPool":(R)

Part A: Configuring your Application Pool
Suppose the Application Pool is named 'MyPool'
Go to 'Advanced Settings' of the Application Pool from the IIS Manager
Scroll down to 'Identity'. Trying to edit the value will bring up a dialog box. Select 'Built-In account' and under it, select 'ApplicationPoolIdentity'.
A few lines below 'Identity', you should find 'Load User Profile'. This value should be set to 'True'.
Part B: Configuring your website
Website Name: SiteName (just an example)
Physical Path: C:\Whatever (just an example)
Connect as... : Application User (pass-through authentication)
(The above settings can be found in 'Basic Settings' of the site in the IIS Manager)
After configuring the basic settings, look for the 'Authentication' configuration under 'IIS' in the main console of the site. Open it. You should see an option for 'Anonymous Authentication'. Make sure it is enabled. Then right click and 'Edit...' it. Select 'Application Pool Identity'.
Part C: Configuring your folder
The folder in question is C:\Whatever
Go to Properties - Sharing - Advanced Sharing - Permissions, and tick 'Share this folder'
In the same dialog box, you will find a button 'Permissions'. Click it.
A new dialog box will open. Click 'Add'.
A new dialog box 'Select Users or Groups' will open. Under 'From this location' make sure the name is the same as your local host computer. Then, under 'Enter the object names', type 'IIS AppPool\MyPool' and click 'Check Names' and then 'Ok'
Give full sharing permissions for 'MyPool' user. Apply it and close the folder properties
Open folder properties again. This time, go to Security - Advanced - Permission, and click Add. There will be an option 'Select a Principal' at the top, or some other option to choose a user. Click it.
The 'Select Users or Groups' dialog box will open again. Repeat step 4.
Give all or as many permissions you need to the 'MyPool' user.
Check 'Replace all child object permissions..." and Apply and close.
You should now be able to use the browse the website

Top Answer from Jon Adams
Here is how to implement this for the PowerShell folks
$IncommingPath = "F:\WebContent"
$Acl = Get-Acl $IncommingPath
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("IIS AppPool\DefaultAppPool","FullControl","ContainerInherit, ObjectInherit", "None", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl $IncommingPath $Acl

Just to add to the confusion, the (Windows Explorer) Effective Permissions dialog doesn't work for these logins.
I have a site "Umbo4" using pass-through authentication, and looked at the user's Effective Permissions in the site root folder.
The Check Names test resolved the name "IIS AppPool\Umbo4", but the Effective Permissions shows that the user had no permissions at all on the folder (all checkboxes unchecked).
I then excluded this user from the folder explicitly, using the Explorer Security tab.
This resulted in the site failing with a HTTP 500.19 error, as expected. The Effective Permissions however looked exactly as before.

I fixed all my asp.net problems simply by creating a new user called IUSER with a password and added it the Network Service and User Groups. Then create all your virtual sites and applications set authentication to IUSER with its password.. set high level file access to include IUSER and BAM it fixed at least 3-4 issues including this one..
Dave

Related

MVC, CSS, and 302 authentication Hell

Like most people with the same question, everything under my "Content" folder is currently being redirected to my login page (until I've been authorized). According to Dev HTTP Client, this is what I get when I try navigating directly to one of the style sheets under Content.
I've tried the following:
Allowing anonymous users to access a bunch of different folder via the web.config:
I've tried changing permissions on IIS. The folder of the website has full permissions, and too all of it's subfolders. I've even added Network Service user and DefaultAppPool user, and given them full permissions, also.
I've changed the Anonymous Authentication for the site to be Application Pool Identity
What am I missing?
Since you're setting Anonymous authentication to the ApplicationPool Identity you need to give the ApplicationPool Identity permission to that folder. To do this follow the next steps:
Go to the properties of your content directory
Select the "Security" tab
Click the "Edit" and then "Add" button
Click the "Locations" button and make sure you select your machine. (Not the Windows domain if the server belongs to one.)
Enter "IIS AppPool\nameofyourapppool"
Click the "Check Names" button and click "OK".
I apologize to everybody, but it would seem the answer was obvious (and my fault). In all the changes I made, I guess I had accidentally disabled the anonymous authentication on my Content folder.
So stupid...

Setting up a virtual directory on IIS7

I'm setting up our server so we can install an ASP.Net web application on it.
I right clicked Sites in the IIS7 Manager and selected Add Virtual Directory and I clicked the Test Settings button, this messages is displayed:
The server is configured to use pass-through authentication with a built-in
account to access the specified physical path. However, IIS Manager cannot
verify whether the built-in account has access. Make sure that the application
pool identity has Read access to the physical path. If this server is joined to
a domain, and the application pool identity is NetworkService or LocalSystem,
verify that <domain>\<computer_name>$ has Read access to the physical path.
Then test these settings again.
The message does not tell us how to do any of these things.
The server I'm setting up has Windows7 Home Premium installed on it. The computer is set up with all defaults set and has a computer name such as MyComputer-PC (not the real name). There is no domain set up.
Can you tell us how to do what is described in the message?
1) Go to IIS, click on the IIS entry that holds your virtual directory. On the right click on Basic Setting to see which appliatino pool it's using.
2) Go to IIS, go to application Pools. Right click on your application pool and check the advance setting -> Identity property to find out which user it's using.
3) Go to the folder that your IIS Entry maps to, make sure that user is added to this directory. If you want to give it write permission, give it write. Otherwise, make give it read & execute is fine.
The message is pretty clear in what needs to be done. Go to the Application Pool section of IIS and open the advanced settings of the default Application pool. Check what username is specified in the Identity property.
Go to the location where you are physically storing your virtual directory and go to the folder properties -> Security. Ensure that the user has the appropriate access.
Basically, you can ignore this message if you don't plan to write files to your site directory.
This message means that IIS can't check if it's system windows account has enough permissions on your site folder.

HTTP Error 401.3 - Unauthorized

I am getting this errror in my newly created website in Windows 7 and IIS 7.5. I created an SSL certificate and done binding new website.
HTTP Error 401.3 - Unauthorized
You do not have permission to view this directory or page because of the access control list (ACL) configuration or encryption settings for this resource on the Web server.
Earlier when I created the website, I selected 'application user(pass through authentication)' in 'Add Website' dialogue. and when I click "Test Settings ..." button, I get this error message:
The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that \$ has Read access to the physical path. Then test these settings again.
Please suggest solution to this.
Thanks.
I had the same issue, ensured my DefaultAppPool was running under ApplicationPoolIdentity and the DefaultAppPool had permissions to the folder, but some files still didn't load.
Turns out my problem was that the anonymous authentication user was set to someone else instead of ApplicationPoolIdentity
Screenshot
Make sure that application pool of your website and website both are running under the same identity. Then make sure that this identity has required permissions on the virtual directory. I had exact same issue and above two checks fixed it.
IIS 7 also creates "IUSR" as default user to access files via IIS. So make sure user IUSR has read access to files/folders.
How to check if IUSR has read Access? Right Click -> Folder -> Properties -> Security Tab See if IUSR is in Group or user names list, If No.
Click Edit -> Add -> Advanced -> Find Now -> Select IUSR and click OK -->click Apply
The below worked for me. I did not set up an SSL, just a new website within IIS. Upon doing so I was immediately unable to access the website with this error message.
When I created the new website, a new Application Pool was also created. The Identity of this Application Pool was set to ApplicationPoolIdentity. As mentioned by Suhas, the Application Pool of the website and the website itself must be running under the same identity. (I do not know how to check the identity of the website, but the Application Pool's Identity can be checked by going to Application Pools and looking at the Identity column). The default Application Pool name is DefaultAppPool.
I added permissions to the site (right click the site name -> Edit Permissions -> Security -> Edit -> Add), linking the site to the DefaultAppPool object, which in turn gives the site access to the default user and it's settings. (The default user is created when IIS is installed. Read more about this in Microsoft's docs).
I thought this would be all that's needed to obtain access, but this is incorrect. The website's Application Pool must also be set to DefaultAppPool. This can be done by right clicking on the site -> Manage Website -> Advanced Settings -> Change the Application Pool value to DefaultAppPool.

ASP.Net which user account running Web Service on IIS 7?

I want to know which account running my Web Service/Application so that I can assign the read/write access to that account. I have researched and see most of the sources mentions about ASPNET account, but on my 2008 server, there is not any acount named ASPNET. Some sources say ASPNET is being replaced by NETWORK SERVICE?
Also, can I assign to another user account to run the service? And how to do that?
Thanks,
Server 2008
Start Task Manager
Find w3wp.exe process (description IIS Worker Process)
Check User Name column to find who you're IIS process is running as.
In the IIS GUI you can configure your application pool to run as a specific user:
Application Pool
default
Advanced Settings
Identity
Here's the info from Microsoft on setting up Application Pool Identites:
http://learn.iis.net/page.aspx/624/application-pool-identities/
Look at the Identity of the Application Pool that's running your application. By default it will be the Network Service account, but you can change this.
At least that's how it works on 2003 server, don't know if some details have changed for 2008 server.
You are most likely looking for the IIS_IUSRS account.
I had a ton of trouble with this and then found a great solution:
Create a file in a text editor called whoami.php with the below code as it's content, save the file and upload it to public_html (or whatever you root of your webserver directory is named). It should output a useful string that you can use to track down the user the webserver is running as, my output was "php is running as user: nt authority\iusr" which allowed me to track down the permissions I needed to modify to the user "IUSR".
<?php
// outputs the username that owns the running php/httpd process
// (on a system with the "whoami" executable in the path)
echo 'php is running as user: ' . exec('whoami');
?>
You have to find the right user that needs to use temp folder.
In my computer I follow the above link and find the special folder
c:\inetpub, that iis use to execute her web services.
I check what users could use these folder and find something like these:
computername\iis_isusrs
The main issue comes when you try to add it to all permit on temp folder
I was going to properties, security tab, edit button, add user button
then i put
iis_isusrs
and "check names" button
It doesn´t find anything
The reason is the in my case it looks ( windows 2008 r2 iis 7 ) on pdgs.local location
You have to go to "Select Users or Groups" form, click on Advanced button,
click on Locations button and will see a specific hierarchy
computername
Entire Directory
pdgs.local
So when you try to add an user, its search name on pdgs.local.
You have to select computername and click ok,
Click on "Find Now"
Look for IIS_IUSRS on Name(RDN) column, click ok. So we go back to "Select Users or Groups" form with new and right user underline
click ok, allow full control, and click ok again.
That´s all folks,
Hope it helps,
Jose from Moralzarzal ( Madrid )

Proper setup for IIS7.5 machine account for anonymous Web site access

Using IIS 7.5, IIS_IUSRS is supposed to be the account to use. I get '401 - Unauthorized: Access is denied due to invalid credentials' error. If I add an EVERYONE account with Read, it works. But rather not have Everyone account. Any idea why IIS_IUSRS does not work? It has Read access. Anonymous Access=enabled. Specific User=IUSR
As a side, on the Basic Settings... for the site, Test Settings button says 'ok-on Authenticate' but Authorization 'cannot verify access to path'.
In IIS 7.5 this has changed from being an IIS_IUSRS account to being a user under the IIS AppPools top level windows group
if you create an application pool called
www.mysite.com
then the sites default created user account that it runs as becomes
IIS AppPools\www.mysite.com
Check the following Microsoft Doc under "Securing Resources" to see more
http://learn.iis.net/page.aspx/624/application-pool-identities/
Under the 'Securing Resources' section listed here:
Open Windows Explorer.
Select a file or directory.
Right click the file and select "Properties"
Select the "Security" tab Click the "Edit" and then "Add" button
Click the "Locations" button and make sure you select your machine. Enter "IIS AppPool\DefaultAppPool" in the "Enter the object names to select:" text box.
Click the "Check Names" button and click "OK".
Substitute DefaultAppPool with the name of the application pool you created/used when adding your site to IIS. This IIS AppPool (not IIS AppPools as of iis 7.5.7600 on Windows 7 pro) group is a group of virtual accounts that you will not see when performing a normal account search on your local machine or via a directory service.

Resources