I had a problem running an ASP.NET application (application Pool v4.0) on windows server 2008 IIS 7.5.
I figured out that it's a permissions problem, but I couldn't find ASP.NET user group, so I granted NETWORK SERVICE and still it didn't work until I granted IIS_USERS permission to read/write and modify then it worked.
Why I can't find ASP.NET user group? and how can I add it if possible?
When you come to apply file and folder permissions you grant the Application Pool identity whatever rights are required. For example if you are granting the application pool identity for the ASP.NET v4.0 pool permissions then you can either do this via Explorer:
Click the "Check Names" button:
Or you can do this using the ICACLS.EXE utility:
icacls c:\wwwroot\mysite /grant "IIS AppPool\ASP.NET v4.0":(CI)(OI)(M)
This is taken mostly from What are all the user accounts for IIS/ASP.NET and how do they differ?, so look at that for the full answer, but this section is pertinent to you.
Related
when i change identity to localservice restart,it`s work,but why?applicationPoolIdentity created by default,it should has power with site folder,and when site run,i change identity to ApplicationPoolIdentity again,still work,dose some one know doc with it?
"it should has power with site folder". No. That's not correct.
Many permissions are granted by server administrators after deploying a web app and they don't come automatically.
For example, IIS_IUSRS has read and execute permissions in \inetpub\wwwroot only because that's the folder for the sample Default Web Site.
If you create a new site then you are responsible to grant IIS_USRS the permissions there. From security perspective, that's the right way to go, and this behavior was there since at least IIS 6 (two decades ago).
Reference
https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/www-authentication-authorization/default-permissions-user-rightshttps://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/www-authentication-authorization/default-permissions-user-rights#inetpubwwwroot
I successfully configured IIS for Web Deploy and added a IIS Manager User.
The problem is when i try to publish, i get back error
Error 1 Web deployment task failed. (Unable to perform the operation
("Delete Directory") for the specified directory ("2_0_50727"). This
can occur if the server administrator has not authorized this
operation for the user credentials you are using. Learn more at:
http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_INSUFFICIENT_ACCESS_TO_SITE_FOLDER.) C:\Program
Files
(x86)\MSBuild\Microsoft\VisualStudio\v12.0\Web\Microsoft.Web.Publishing.targets 4270 5 WebAPI
Which shortly means, there are no premissions for user to handle root folder content. I couldn't figure out, who is the user, to give the permissions to.
The linked Microsoft page is telling, in most of the case, it's "Local Service", well it already has full control permissions. So i tried more "IUSR", "DefaultAppPool" - still not right ones. The temporary solution is to give permissions to "Everyone" and then it works... but who's the right user??
Did you add a rule (contentPath, createApp, dirPath, filePath, iisApp, runCommand) for your IIS Manager user in Manager Service Delegation?
And also I granted access to the site folder for LOCAL SERVICE because Web Management Service runs under this account and for NETWORK SERVICE because of Web Deployment Agent Service.
Right click the web site in IIS Manager and choose Deploy -> Configure Web Deploy Publishing. Choose your IIS-user and Setup, in order to give correct rights for publishing to that site.
I've just moved away from IIS6 on Win2003 to IIS8 on Win2012 for hosting ASP.NET applications.
Within one particular folder in my application I need to Create & Delete files. After copying the files to the new server, I kept seeing the following errors when I tried to delete files:
Access to the path 'D:\WebSites\myapp.co.uk\companydata\filename.pdf' is denied.
When I check IIS I see that the application is running under the DefaultAppPool account, however, I never set up Windows permissions on this folder to include IIS AppPool\DefaultAppPool
Instead, to stop screaming customers I granted the following permissions on the folder:
IUSR
Read & Execute
List Folder Contents
Read
Write
IIS_IUSRS
Modify
Read & Execute
List Folder Contents
Read
Write
This seems to have worked, but I am concerned that too many privileges have been set. I've read conflicting information online about whether IUSR is actually needed at all here. Can anyone clarify which users/permissions would suffice to Create and Delete documents on this folder please? Also, is IUSR part of the IIS_IUSRS group?
Update & Solution
Please see my answer below. I've had to do this sadly as some recent suggestions were not well thought out, or even safe (IMO).
I hate to post my own answer, but some answers recently have ignored the solution I posted in my own question, suggesting approaches that are nothing short of foolhardy.
In short - you do not need to edit any Windows user account privileges at all. Doing so only introduces risk. The process is entirely managed in IIS using inherited privileges.
Applying Modify/Write Permissions to the Correct User Account
Right-click the domain when it appears under the Sites list, and choose Edit Permissions
Under the Security tab, you will see MACHINE_NAME\IIS_IUSRS is listed. This means that IIS automatically has read-only permission on the directory (e.g. to run ASP.Net in the site). You do not need to edit this entry.
Click the Edit button, then Add...
In the text box, type IIS AppPool\MyApplicationPoolName, substituting MyApplicationPoolName with your domain name or whatever application pool is accessing your site, e.g. IIS AppPool\mydomain.com
Press the Check Names button. The text you typed will transform (notice the underline):
Press OK to add the user
With the new user (your domain) selected, now you can safely provide any Modify or Write permissions
IUSR is part of the IIS_IUSER group, so I guess you can remove the permissions for IUSR without worrying. Further reading
However, a problem arose over time as more and more Windows system services started to run as NETWORKSERVICE. This is because services running as NETWORKSERVICE can tamper with other services that run under the same identity. Because IIS worker processes run third-party code by default (Classic ASP, ASP.NET, PHP code), it was time to isolate IIS worker processes from other Windows system services and run IIS worker processes under unique identities.
The Windows operating system provides a feature called "Virtual Accounts" that allows IIS to create unique identities for each of its Application Pools. DefaultAppPool is the default pool that is assigned to all Application Pools you create.
To make it more secure you can change the IIS DefaultAppPool Identity to ApplicationPoolIdentity.
Regarding permissions, Create and Delete summarize all the rights that can be given. So whatever you have assigned to the IIS_USERS group is all that they will require.
When I added permissions for IIS_IUSRS to the site folder, resources like JavaScript and CSS were still inaccessible (error 401, forbidden). However, when I added IUSR, it started working. So for sure you cannot remove the permissions for IUSR.
#EvilDr
You can create an IUSR_[identifier] account within your AD environment and let the particular application pool run under that IUSR_[identifier] account:
"Application pool" > "Advanced Settings" > "Identity" > "Custom account"
Set your website to "Applicaton user (pass-through authentication)" and not "Specific user", in the Advanced Settings.
Now give that IUSR_[identifier] the appropriate NTFS permissions on files and folders, for example: modify on companydata.
IIS_IUSRS group has prominence only if you are using ApplicationPool Identity. Even though you have this group looks empty at run time IIS adds to this group to run a worker process according to microsoft literature.
I would use specific user (and NOT Application user). Then I will enable impersonation in the application. Once you do that whatever account is set as the specific user, those credentials would used to access local resources on that server (Not for external resources).
Specific User setting is specifically meant for accessing local resources.
I've moved my codebase to a new directory and need to grant the IIS account read/write privileges on a few folders to allow access by the ASP.Net runtime. I believe NETWORKSERVICE is no longer used for this purpose (as mentioned in this earlier question:
ASP.Net which user account running Web Service on IIS 7?) but, try as I might I can't seem to be able to add the IISAppPool/IIS Worker Process the article links to.
I've found a MyDomain/IIS_WPG account but this isn't the one that is listed in Task Manager for the w3wp process. Can someone help?
UPDATE:
Even odder - the Application Pool for the website in question uses the LocalSystem identity which I thought would be able to access pretty much the entire machine. Is there something incorrect about my basic machine/Windows setup?
I am trying to modify an xml file from my aspx code. The file is in another directory from my project like in D:\folder\file.xml When publishing my code and running it I am receiving an error as not to be able to access this directory, access in denied. Which user account shall I add to this folder in security option to be able to modify it. I tried adding IIS user but it does not seem to work. Any other workaround this ?
Check which identity that's associated with the application pool, and grant that user access to the folder.
You didn't specify which version of IIS you're using, but here's a decent article on how application pools work
I solved the issue finally..
In my pc I am using Win Xp and had to grant ASP.NET machine account user appropriate rights on the file while on the server that i am finally publishing the code I am using Windows Web Server 2008 and the matching ASP.NET Machine Account was Network Service i granted the same rights here and now i can modify the file successfully.
I am using IIS 7.5 on this machine.
I think your approach Tchami has the same idea. So I am marking it as the answer :) Thank you