locked
Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7 RRS feed

  • Question

  • User1439985827 posted

    I've read some information about the new identity model for IIS 7.5 and it seems really cool, the identity on-the-fly and SID injection is neat. But either I am doing something very stupid, or something else. My problem is I need to grant write access to the folder where the application lives for the Windows ACL, so I have my application pool named "DefaultAppPool". When I hit the application and look in task manager, I can see that the w3wp is running as "DefaultAppPool".

    However, when I go to grant DefaultAppPool write access to the directory, Windows always complains it cannot find the user. I've tried:

    • DefaultAppPool
    • IIS APPPOOL\DefaultAppPool

    The first one says the account doesn't exist. The second one says "The following object is not from a domain listed in the Select Location dialog box, and therefore is not valid"

    Well that makes sense since I am not on a domain, and there is no domain called IIS APPPOOL.

    Any hints? Thanks in advance.

    Tuesday, April 7, 2009 5:40 PM

Answers

All replies

  • User690216013 posted

    Can you use icacls to set permissions for IIS APPPOOL\DefaultAppPool?

    http://technet.microsoft.com/en-us/library/cc753525.aspx

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Tuesday, April 7, 2009 9:07 PM
  • User1439985827 posted

     Yes I can, and that seemed to work just great. I suppose that is an oddity of the Beta release - you can't do that through the GUI. Why didn't I think of that!

     Thanks!

    Tuesday, April 7, 2009 9:53 PM
  • User-878454588 posted

    Hi. 

    My coworker just got 7 installed on his Desktop the other day, and we ran into the same problem when trying to set up permissions. Either it's not an oddity of the Beta release, or we didn't take something into consideration which we should have, in which case we'd be glad to take hints as to where we are wrong.

    Thanks you.

    Thursday, October 22, 2009 7:25 AM
  • User-1190850920 posted
    Running into the same problem here: Win2k8/IIS 7.0 Can't set the ACL from the GUI, get the same "The following object is not from a domain listed in the Select Location dialog box, and is therefore not valid:" error. Bug?
    Friday, October 23, 2009 3:01 PM
  • User690216013 posted

    It is easy to miss these necessary settings.

    When you are in Select Users or Groups dialog, please make sure you select the machine name for Locations and have Built-in security principals selected for Object Types.

    Only if you have the above settings you can find pool identities such as IIS APPPOOL\DefaultAppPool

    Therefore, this is not a bug.

    Regards,

    Sunday, October 25, 2009 11:56 PM
  • User-878454588 posted

    Hello. 

    Your suggestion helped us a lot.

    Apparently when we set the local machine name as location we didn't use the "IIS AppPool" prefix, and when we used the prefix, we forgot to set the Location.

    But fortunately there is you.

    Thanks a lot

    Monday, October 26, 2009 10:14 AM
  • User1562410301 posted

     I'm running into this issue too (Windows 2008 / IIS 7.0).

    I tried the suggestions above, but it doesn't work.

    When using 'search' in the permissions GUI, none of the built-in IIS AppPool security principles are found.

    When specifing IIS AppPool\AppPoolName it says it cannot find the user/role/principle.

    It seems the folder/file Permission GUI does not support IIS AppPool built-in principles... is that correct?

    I can however modify permissions using isacls.

    Tuesday, October 27, 2009 8:03 AM
  • User-1590933450 posted

    We have the exact same problem here. It works like a charm in Windows Server 2008 R2 / IIS 7.5, but not in 2008 SP2 / IIS 7.0.

    In 2008 R2 I can use the GUI to set file acls for "IIS AppPool\<app pool name>" but in 2008 the user can't be found. I've tried on several different servers.

    Location is the local computer and Built-in security principals is checked under Objects.

     

     

    Tuesday, October 27, 2009 11:21 AM
  • User511787461 posted

    This is unfortunately a limitation of the object picker on ws08/vista - as several people have discovered it already, you can still manipulate the ACL for the app-pool identity using command line tools like icacls.

    Tuesday, October 27, 2009 1:27 PM
  • User-878454588 posted

    I just retried with Vista SP2 / IIS7.0, and what recently worked well with Windows 7 / IIS7.5 just wouldn't.

    Edit: Oh noez, starting a reply and leaving it sitting around for extensive periods of time will lead into obsoleteness.  :-)

    Tuesday, October 27, 2009 1:33 PM
  • User1562410301 posted

    The nice thing is I learned to use icacls now :)

    Tuesday, October 27, 2009 3:44 PM
  • User1696511887 posted

    I am using Windows 7 and set up the permissions for "IIS AppPool\DefaultAppPool" to have "Full Control" over my web app.  I still keep getting FileIOPermission errors.  When I switched the App Pool to use Network Services everything worked like a charm.

    Any thoughts on why a web app running in Full Trust with Full Control granted for the DefaultAppPool would still be throwing FileIOPermission errors?

    Note: I have tried setting the permissions with both the GUI and the icacls command. In both, full control was granted. Keep getting the following error when I do not use Network Services:

    System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

    Thursday, January 14, 2010 2:04 AM
  • User-1157744904 posted

    I found this thread after experiencing the same ApplicationPoolIdentity authentication problems described by the original poster (IIS 7.5 on Windows 7).  Someone called it "a limitation of the object picker" which sounds like a nice way of saying the Windows/IIS team let this out the door half-baked. I was just about to use the "Network Service" identity instead but will give icacls as try and see if I can get the ApplicationPoolIdentity to work...

    Sunday, April 11, 2010 2:23 PM
  • User1854856562 posted

    I just found an easy solution to this problem that does not involve using the NetworkService as the account to run the AppPool.

    I have applied this solution to my 2008R2 using IIS7.5 (using IIS6Compatibility mode and the local SMTP server Feature installed and all ASP AppPools running in 32bit mode); I have not tested this outside of that environment, so your mileage may vary.

    let me preface by saying, this issue didnt happen when the AppPool was running as NetworkService, only when using ApplicationPoolIdentity. The reason for this is explained below.

     

    In 2008/IIS7+ the ApplicationPoolIdentity accounts are hidden accounts that have dynamically assigned SID's (created and assigned when the ApplicationPool is started). But the accounts live as (hidden) users under the IIS_IUSRS group on the local machine (this makes giving them permissions to the AppPools pretty easy, since you can use the normal GUI interface for perms or use scripts while specifying the local user group).

    • Give Read/Write permissions for the IIS_IUSRS group to the folder (permissions will inherit down to all folders).

    Hope this helps all the other people who found this thread.

    Monday, May 10, 2010 1:57 PM
  • User1165108473 posted
    You have to start the application pool at least once in order for the IIS AppPool\<YourAppPoolName> identity to be available for either object picker or icacls.

    More importantly:
    Using the IIS_IUSRS group for permissions defeats the whole purpose of the Application Pool identities. The identities are for separation of different applications. You can permission one application on database Xyz, and other IIS application won't have access to it. I think this is an important point to make. If you use the group as a hack, ANY application will have access to the resource (either a db or file system artifacts), because any member of the group (each application pool identity) will be permissioned
    Friday, June 4, 2010 4:17 AM
  • User1930089009 posted

     What if its SQL server that isn't giving you access?

    I'm getting this error:  System.Data.EntityException: The underlying provider failed on Open. ---> System.Data.SqlClient.SqlException: Login failed for user 'IIS APPPOOL\ASP.NET v4.0'.

    Wednesday, June 16, 2010 4:53 PM
  • User-878454588 posted
    It should be as easy as adding a new login 'IIS AppPool\ASP.NET v4.0' in SQL Server Management Studio or using some script like

    CREATE LOGIN [IIS AppPool\ASP.NET v4.0] FROM WINDOWS

    (Edit: Maybe you also want to give that user appropriate permissons on the databases / database-objects he's supposed to interact with.)

    (Edit2: This was under the assumption, that the SQL Server is on the same machine as IIS. Which, thinking about it, is a quite unreasonable assumption in general. If SQL Server and IIS are running on different machines, I'd think you would have to use some account which is known to both of them, and not local to the IIS-machine.)

    Thursday, June 17, 2010 3:50 AM
  • User690216013 posted

    It is highly not recommended to grant application pool identity permissions on database.

    MSDN has two approaches listed for ASP.NET beginners,

    http://msdn.microsoft.com/en-us/library/ms998300.aspx

    http://msdn.microsoft.com/en-us/library/ms998292.aspx

    Regards,

    Thursday, June 17, 2010 9:24 AM
  • User-1256008309 posted
    i am running windows server 2008 r2 standard. i was unable to give DefaultAppPool permissions to an .mdb file using the GUI. i was able to do it with icacls. however, the web application still could not write to the database. i tried using the iis_iusrs group as well, but writing to the database was still denied. finally, i gave the IUSR account modify permissions and it worked. any ideas why i'm having to do this and how i can make my installation of iis 7 work the recommended way?
    Wednesday, September 29, 2010 4:04 PM
  • User-225879694 posted

    i am running windows server 2008 r2 standard. i was unable to give DefaultAppPool permissions to an .mdb file using the GUI. i was able to do it with icacls. however, the web application still could not write to the database. i tried using the iis_iusrs group as well, but writing to the database was still denied. finally, i gave the IUSR account modify permissions and it worked. any ideas why i'm having to do this and how i can make my installation of iis 7 work the recommended way?
     

    Yes, its because you are not using .net, so the app runs under the security context of the anonymous user (IUSR), because in classic asp impersonation cannot be disabled.

    To make it work the "recommended" way set your anonymous identity = app pool

    Monday, October 11, 2010 8:29 AM
  • User-636020408 posted

    I want to second what jgovednik described.

    I used to grant DefaultAppPool permissions for my ASP.net apps. Now I just grand permissions to IIS_IUSRS.  This has worked well for me so far.

    Wednesday, June 1, 2011 7:25 PM
  • User1073881637 posted

    +1

    Wednesday, June 1, 2011 8:05 PM
  • User-501185762 posted
    Hi, I'm having problems understanding what to use when programmatically giving acess rights to a directory to an asp2 web-app. The call is to be made to Addaccessrule to create a new ACE in the ACL. How can I find a SID to supply in that call for Defaultapppool, or should I just give that as a Username? /Sven
    Tuesday, July 26, 2011 9:00 AM
  • User-1672167363 posted

    Hello @ sh_olsson,

    If you check IIS Net library http://www.iis.net/ConfigReference/system.applicationHost/applicationPools 

           reference for Application Pools the samples section may help.

    For general Application Pool use http://learn.iis.net/page.aspx/624/application-pool-identities/ in IIS Net library.

    Martin

     

    Tuesday, July 26, 2011 10:50 AM
  • User142823163 posted
    IIS 7.5... I still use IIS7.0
    Wednesday, July 27, 2011 10:28 AM
  • User-1672167363 posted

    Hi @ freefallen,

    The information in the thread  from Lex  for ICALS commands and operation

     work with IIS Server 7.0 to manage permissions.

     http://technet.microsoft.com/en-us/library/cc753525.aspx .

    Martin

     

    Wednesday, July 27, 2011 12:00 PM
  • User-501185762 posted

    Hello @ sh_olsson,

    If you check IIS Net library http://www.iis.net/ConfigReference/system.applicationHost/applicationPools 

           reference for Application Pools the samples section may help.

    For general Application Pool use http://learn.iis.net/page.aspx/624/application-pool-identities/ in IIS Net library.

    Martin

     

    Thanks, but in the first link there is a worrying sentence: "To do so, you would set your security using the name of an application pool by using syntax like "IIS AppPool\DefaultAppPool." This identity is created dynamically, thereby dramatically reducing the surface attack area of your server"

    The word "dynamically" is ominous to me, I get the impression that if I use syntax like:

        ...FileSystemAccessRule(New NTAccount("IIS AppPool\DefaultAppPool"), FileSystemRights...

    to create en ACE in an ACL for a resource, later on, the SID-number för "IIS AppPool\DefaultAppPool" will have changed so the access rule stops working?

    Or is the SID-number stabile on that machine, for that specific name "IIS AppPool\DefaultAppPool", so I shouldn't worry about the wording "dynamic"?

    /sh

     

     

     

     

    Wednesday, July 27, 2011 1:06 PM
  • User-1672167363 posted

    Hi,

    The Topic "Troubles with ApplicationPoolIdentity" " IIS 7.5 server" or "Windows 7 operating systems"

    Your questions are important "security questions and concerns" need the best possible answers.

    Create a new post.

    TIA,

     

    Martin

     

     

     

    Wednesday, July 27, 2011 1:23 PM
  • User658473424 posted

     Have you ever found the solution to this problem? I'm having a problem very similar when trying to access an Azman Xml...

    Tuesday, September 27, 2011 3:56 AM
  • User-1672167363 posted

    Hi,

    The Topic "Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7"

    Your questions are important and need the best possible answers.

    Create a new post for the problems and issues.

    TIA,

    Regards,

    Martin

     

     

    Tuesday, September 27, 2011 5:28 AM
  • User-1942688609 posted
    Therefore, this is not a bug.
    It may not be a bug, but its hardly well documented. I'd vote to describe this as a documentation bug - I really shouldn't have to trawl through multiple online forums to find how to do such a basic operation (most of the descriptions I read were incomplete or wrong). And this isn't the first time I've attempted to resolve it (first time I succeeded before giving up though). Thanks for the solution, it just saved me having to use "Network Service" again.
    Thursday, April 26, 2012 8:55 AM
  • User990644438 posted
    Before you made changes to the app pools, all you probably needed to do was add read access to your physical directory for the "network service" account (that is the default account used by asp.net on vista & win7). I think what you may be looking for at this point is this: aspnet_regiis -ga <useraccount> The -ga switch tells aspnet_regiis to configure all the security for asp.net. Usually you only need to do this stuff when you are using impersonation in your application, but if you are changing the default user for the application pools then you are effectivly doing the same thing IIS wide. The best complete documentation I've found is on MSDN. It applies to the previous version of IIS, IIS 6, but it is pretty easy to apply it in IIS 7 environments
    Monday, May 21, 2012 3:00 AM
  • User-813868943 posted
    I am trying to deny default application pool access to windows folder so users/scripts cannot run exe's I have denied IIS_IUSRS, which works for dedicated app pools. But not for default app pools. I have followed this thread, but there is no such user as ApplicationPoolIdentity or IIS APPPOOL\DefaultAppPool, so I cannot deny it. I have ALL object types selected in the "select users and groups" dialog.
    Tuesday, September 18, 2012 12:51 PM
  • User-813868943 posted
    ok I managed to do it with icacls, no-one has actually shown the command here, so here it is. icacls c:\windows\system32\*.exe /deny "IIS APPPOOL/DefaultAppPool" Now if I check the permissions on any exe it shows "DefaultAppPool" is denied all access. However cgi scripts are still able to run exe's, what have I missed ? IIS_IUSRS is also denied access What does ApplicationPoolIdentity run as ?
    Tuesday, September 18, 2012 1:04 PM