ASP.Net which user account running Web Service on IIS 7? - asp.net

I want to know which account running my Web Service/Application so that I can assign the read/write access to that account. I have researched and see most of the sources mentions about ASPNET account, but on my 2008 server, there is not any acount named ASPNET. Some sources say ASPNET is being replaced by NETWORK SERVICE?
Also, can I assign to another user account to run the service? And how to do that?
Thanks,

Server 2008
Start Task Manager
Find w3wp.exe process (description IIS Worker Process)
Check User Name column to find who you're IIS process is running as.
In the IIS GUI you can configure your application pool to run as a specific user:
Application Pool
default
Advanced Settings
Identity
Here's the info from Microsoft on setting up Application Pool Identites:
http://learn.iis.net/page.aspx/624/application-pool-identities/

Look at the Identity of the Application Pool that's running your application. By default it will be the Network Service account, but you can change this.
At least that's how it works on 2003 server, don't know if some details have changed for 2008 server.

You are most likely looking for the IIS_IUSRS account.

I had a ton of trouble with this and then found a great solution:
Create a file in a text editor called whoami.php with the below code as it's content, save the file and upload it to public_html (or whatever you root of your webserver directory is named). It should output a useful string that you can use to track down the user the webserver is running as, my output was "php is running as user: nt authority\iusr" which allowed me to track down the permissions I needed to modify to the user "IUSR".
<?php
// outputs the username that owns the running php/httpd process
// (on a system with the "whoami" executable in the path)
echo 'php is running as user: ' . exec('whoami');
?>

You have to find the right user that needs to use temp folder.
In my computer I follow the above link and find the special folder
c:\inetpub, that iis use to execute her web services.
I check what users could use these folder and find something like these:
computername\iis_isusrs
The main issue comes when you try to add it to all permit on temp folder
I was going to properties, security tab, edit button, add user button
then i put
iis_isusrs
and "check names" button
It doesn´t find anything
The reason is the in my case it looks ( windows 2008 r2 iis 7 ) on pdgs.local location
You have to go to "Select Users or Groups" form, click on Advanced button,
click on Locations button and will see a specific hierarchy
computername
Entire Directory
pdgs.local
So when you try to add an user, its search name on pdgs.local.
You have to select computername and click ok,
Click on "Find Now"
Look for IIS_IUSRS on Name(RDN) column, click ok. So we go back to "Select Users or Groups" form with new and right user underline
click ok, allow full control, and click ok again.
That´s all folks,
Hope it helps,
Jose from Moralzarzal ( Madrid )

Related

IIS7 Accessing Network Share

I am running IIS 7 on Windows Server 2008 R2 with PHP 5.4. One of my PHP scripts is trying to access a file on a protected network share using a UNC path. How can I change the IIS service account to an account that has permission to access the share? This is really easy to do on Apache HTTP server (you just change it), but it's not clear how to do with IIS. What can I do?
Update:
I was able to get things working using the "Connect As" option in the "Basic Settings" of my website and then specifying an account that has access to the network share. It appears that my problem is related to this question:
https://serverfault.com/questions/366234/iis-identities-application-pool-vs-connect-as-in-basic-settings
For IIS 7 running on Windows Server 2008 R2 ... In the IIS Manager, select the Application Pool under which your Web Site is running.
Click "Advanced Settings". There will be an entry for Identity (it is under the Process Model section). Click it, provide credentials for your account that has permission to access the share.
UPDATE
You should make sure that if you are using an Active Directory Domain Account, you provided that correctly under Identity for the running App Pool. For example, MYDOMAIN\myAccount.
After making this change, you will need to do the following:
Stop the Web Site.
Recycle your Application Pool.
Start the Web Site.
UPDATE II
From the comment discussion on this answer, #HydroPowerDeveloper was able to get the PHP script to be able to access the network share via UNC path using WebSite -> Basic Settings -> "Connect As" and setting the credentials there.
In the past, I have always used the approach of setting Identity via Application Pool and that has allowed my code to access Network shares via UNC path.
However, all of the sites/applications I have deployed on IIS are .NET based WCF or ASPX sites.
I would speculate (but am not 100% certain on this, would need research/testing to confirm) that the Identity specified in the Application Pool is used by executing .NET code, whereas the "Connect As" is used by the PHP script.
Generally the Application Pool is set using the least amount of privileges as possible.
http://msdn.microsoft.com/en-us/library/ff647402.aspx
The easiest route is to allow access to the current IIS account.
In Explorer, navigate to the shared directory.
Right Click -> Properties -> Security
If you don't see the expected IIS user in the list (Group or user names), edit and add the user as required.
I used "NETWORK SERVICE" -> Check names.
The detailed instructions are on that site.
In this way, the system is still restricted, we're ONLY allowing access to specific directories, we don't need to create any new users, we don't need to recycle the application pool and we don't need to perform any nifty impersonation code.
To resurrect an old question...
I've just been setting up a Win 2016 server that uses some Perl to access a UNC share. I set the Application Pool to an account that I verified had the correct permissions on that share. I then set up my site to 'Connect as...' (under 'Basic Settings') the same user. I still couldn't get access working.
Much head scratching later, I realised that my 'Virtual Directory', cgi-bin, was running under the original 'pass through' account. I then set up the virtual directory to 'Connect as...' the same account as the site and the application pool and, bingo, it all works fine.
So, remember to update any Virtual Directories as well as the site and App Pool...

Setting up a virtual directory on IIS7

I'm setting up our server so we can install an ASP.Net web application on it.
I right clicked Sites in the IIS7 Manager and selected Add Virtual Directory and I clicked the Test Settings button, this messages is displayed:
The server is configured to use pass-through authentication with a built-in
account to access the specified physical path. However, IIS Manager cannot
verify whether the built-in account has access. Make sure that the application
pool identity has Read access to the physical path. If this server is joined to
a domain, and the application pool identity is NetworkService or LocalSystem,
verify that <domain>\<computer_name>$ has Read access to the physical path.
Then test these settings again.
The message does not tell us how to do any of these things.
The server I'm setting up has Windows7 Home Premium installed on it. The computer is set up with all defaults set and has a computer name such as MyComputer-PC (not the real name). There is no domain set up.
Can you tell us how to do what is described in the message?
1) Go to IIS, click on the IIS entry that holds your virtual directory. On the right click on Basic Setting to see which appliatino pool it's using.
2) Go to IIS, go to application Pools. Right click on your application pool and check the advance setting -> Identity property to find out which user it's using.
3) Go to the folder that your IIS Entry maps to, make sure that user is added to this directory. If you want to give it write permission, give it write. Otherwise, make give it read & execute is fine.
The message is pretty clear in what needs to be done. Go to the Application Pool section of IIS and open the advanced settings of the default Application pool. Check what username is specified in the Identity property.
Go to the location where you are physically storing your virtual directory and go to the folder properties -> Security. Ensure that the user has the appropriate access.
Basically, you can ignore this message if you don't plan to write files to your site directory.
This message means that IIS can't check if it's system windows account has enough permissions on your site folder.

IIS7 Permissions Overview - ApplicationPoolIdentity

We have recently upgraded to IIS7 as a core web server and I need an overview in terms of the permissions. Previously, when needing to write to the file system I would have give the AppPool user (Network Service) access to the directory or file.
In IIS7 I see, as default, the AppPool user is set to ApplicationPoolIdentity. So when I check the task-manager, I see that a user account called WebSite.example is running the IIS Process ('Website.example' being the name of the website in IIS)
However this user account doesn't exist if I try to use that to give permissions. So, how do I determine which user to give the permissions too?
See below for the problem in screen shot. Our website (www.silverchip.co.uk) runs on the username SilverChip.co.uk. However when I add permissions, this user doesn't exist!
See AppPool Image:
ApplicationPoolIdentity is actually the best practice to use in IIS7+. It is a dynamically created, unprivileged account. To add file system security for a particular application pool see IIS.net's "Application Pool Identities". The quick version:
If the application pool is named "DefaultAppPool" (just replace this text below if it is named differently)
Open Windows Explorer
Select a file or directory.
Right click the file and select "Properties"
Select the "Security" tab
Click the "Edit" and then "Add" button
Click the "Locations" button and make sure you select the local machine. (Not the Windows domain if the server belongs to one.)
Enter "IIS AppPool\DefaultAppPool" in the "Enter the object names to select:" text box. (Don't forget to change "DefaultAppPool" here to whatever you named your application pool.)
Click the "Check Names" button and click "OK".
Remember to use the server's local name, not the domain name, when resolving the name
IIS AppPool\DefaultAppPool
(just a reminder because this tripped me up for a bit):
Giving access to the IIS AppPool\YourAppPoolName user may be not enough with IIS default configurations.
In my case, I still had the error HTTP Error 401.3 - Unauthorized after adding the AppPool user and it was fixed only after adding permissions to the IUSR user.
This is necessary because, by default, Anonymous access is done using the IUSR. You can set another specific user, the Application Pool or continue using the IUSR, but don't forget to set the appropriate permissions.
Credits to this answer: HTTP Error 401.3 - Unauthorized
On Windows Server 2008(r2) you can't assign an application pool identity to a folder through Properties->Security. You can do it through an admin command prompt using the following though:
icacls "c:\yourdirectory" /t /grant "IIS AppPool\DefaultAppPool":(R)
Part A: Configuring your Application Pool
Suppose the Application Pool is named 'MyPool'
Go to 'Advanced Settings' of the Application Pool from the IIS Manager
Scroll down to 'Identity'. Trying to edit the value will bring up a dialog box. Select 'Built-In account' and under it, select 'ApplicationPoolIdentity'.
A few lines below 'Identity', you should find 'Load User Profile'. This value should be set to 'True'.
Part B: Configuring your website
Website Name: SiteName (just an example)
Physical Path: C:\Whatever (just an example)
Connect as... : Application User (pass-through authentication)
(The above settings can be found in 'Basic Settings' of the site in the IIS Manager)
After configuring the basic settings, look for the 'Authentication' configuration under 'IIS' in the main console of the site. Open it. You should see an option for 'Anonymous Authentication'. Make sure it is enabled. Then right click and 'Edit...' it. Select 'Application Pool Identity'.
Part C: Configuring your folder
The folder in question is C:\Whatever
Go to Properties - Sharing - Advanced Sharing - Permissions, and tick 'Share this folder'
In the same dialog box, you will find a button 'Permissions'. Click it.
A new dialog box will open. Click 'Add'.
A new dialog box 'Select Users or Groups' will open. Under 'From this location' make sure the name is the same as your local host computer. Then, under 'Enter the object names', type 'IIS AppPool\MyPool' and click 'Check Names' and then 'Ok'
Give full sharing permissions for 'MyPool' user. Apply it and close the folder properties
Open folder properties again. This time, go to Security - Advanced - Permission, and click Add. There will be an option 'Select a Principal' at the top, or some other option to choose a user. Click it.
The 'Select Users or Groups' dialog box will open again. Repeat step 4.
Give all or as many permissions you need to the 'MyPool' user.
Check 'Replace all child object permissions..." and Apply and close.
You should now be able to use the browse the website
Top Answer from Jon Adams
Here is how to implement this for the PowerShell folks
$IncommingPath = "F:\WebContent"
$Acl = Get-Acl $IncommingPath
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("IIS AppPool\DefaultAppPool","FullControl","ContainerInherit, ObjectInherit", "None", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl $IncommingPath $Acl
Just to add to the confusion, the (Windows Explorer) Effective Permissions dialog doesn't work for these logins.
I have a site "Umbo4" using pass-through authentication, and looked at the user's Effective Permissions in the site root folder.
The Check Names test resolved the name "IIS AppPool\Umbo4", but the Effective Permissions shows that the user had no permissions at all on the folder (all checkboxes unchecked).
I then excluded this user from the folder explicitly, using the Explorer Security tab.
This resulted in the site failing with a HTTP 500.19 error, as expected. The Effective Permissions however looked exactly as before.
I fixed all my asp.net problems simply by creating a new user called IUSER with a password and added it the Network Service and User Groups. Then create all your virtual sites and applications set authentication to IUSER with its password.. set high level file access to include IUSER and BAM it fixed at least 3-4 issues including this one..
Dave

IIS7 Permission Denied - ASP File Write

Unfortunately I don't have a whole lot of information on this.
I have a customer who has moved their site from an ancient system to IIS7 on Windows 2008 Server. Info about the error is below:
Error:
E:\wwwroot\sp\xxx\online_data.xls
Microsoft VBScript runtime error '800a0046'
Permission denied
/xxx/oat/exceldata.asp, line 52
Code:
49 response.write(server.mappath("online_data.xls"))
50
51 set fso = createobject("scripting.filesystemobject")
52 Set act = fso.CreateTextFile(server.mappath("online_data.xls"), true)
The only suggestion so far is to:
grant the application pool
(DefaultAppPool / Classic AppPool)’s
impersonated identity read and write
permission to the physical folder
which the asp page reside
Will look at this when I get access, but other suggestions would be appreciated.
The provided answer is correct, but I needed a little more detail on how to accomplish it. To make it really easy, follow the steps below. I was setting up an asp page counter on a sandbox system in our intranet.
Open Computer Management.
Drill down to the IIS server
Management
In the Connections pane, click on
Application Pools
In the Application Pools pane,
right-click on DefaultAppPool and
choose Advanced Settings. Look in
the Process Model section.
By default, the Identity property is
set to ApplicationPoolIdentity.
This is a built-in account.
If it's set to the default, then you
can use the built-in user
machinename\IUSR for your
permissions settings. I had to
specify the machine name because
this is a virtualized server, YMMV.
If it's not set to the default, use
that username for your permissions
settings.
Cancel out of the dialog and return
to Windows Explorer, to the folder
where you need to add permission.
Right-click to get Permission
settings.
Set up machinename\IUSR or the
non-default username you determined
in steps 6/7 above. Grant
permissions as needed.
This helped:
http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis-7/
The suggestion is correct. If the path to the solution is not immediately obvious for whatever configuration reasons, try running procmon (filter on "online_data.xls") and see who's failing, why, and what user account they run under. Then check the ACLs.
I had a similar problem in Windows 7 and my solution was changing the Authentication. From IIS, select the site, go to Authentication, disable Anonymous Authentication and enable Windows Authentication.
Spent a bit of time with something similar. Even with the correct settings it wasn't working.
I then tried create the actual file first on the server. Turned out to be the trick that worked. Now my ASP page writes to the existing file no problem.
Must be something about creating a new doc from scratch that is another issue.

Asp.net Account in windows 7?

I want to authorize the asp.net account to access some folders in my project.
However, I get this error::
System.UnauthorizedAccessException: Access to the path 'D:\ProgramingPart\FromYamn\WebExercise\WebExercise\AccordionImgs' is denied.
I am using win 7 so what is the name of the asp.net account that I should use?
This depends on a couple of things:
What identity is the application pool running as?
What IIS authentication method are you using?
If you are using IIS7 in Classic Pipeline Mode, what authentication method are you using for ASP.NET (see your web.config file).
Try running visual studio as Administrator.
Under Win7 the default IIS user is ApplicationPoolIdentity. This is somewhat confusing as it's not a real user account. In order to adjust the permissions you need to drop to the command line first and issue
icacls D:\ProgramingPart\FromYamn\WebExercise\WebExercise\AccordionImgs /grant "IIS APPPOOL\DefaultAppPool":(OI)(CI)(RX)
From there you can return to explorer and edit the permissions using the properties tab for the directory. Or you can simply type "IIS APPPOOL\DefaultAppPool" in the add users field in explorer, but I have a preference for icacls myself :)
Probably you want to add the permissions a bit further up the tree. In real shared hosting scenarios application pools tend to get their own, full user accounts, but Server 2008/Win7 added the app pool user so pools can be created, isolated without having to do that.
This worked for me:
On the folder of your application, which might be something like:
C:\Users\YourName\Documents\YourSite
or
C:\inetpub\wwwroot\YourSite
Right-click the folder, choose Properties, go to the Security tab.
You need to add IIS_IUSRS to this list, and probably give full control.
Then, in IIS Manager, assuming you've set up your project folder as an application here, click on your folder/application. Then click the Authentication option. Right click the Anonymous Authentication, and check the user identity. Mine is IUSR.
Go back to your folder security, and add this user, with full control too.
Hopefully it works now!

Resources