I have two apps pools they both are .Net 4.0 app pools. If I switch my application to the second app pool then my application is able to connect to the network drive, If I switch the application to the first app pool I can't connect to the network drive from my application.
We created both these app pools about a month ago but we don't remember what did we do that cause the second app pool to work or the first app pool to break.
I also tried to create a new app pool and switch the application to this one and the application still can't connect the network drive. So, that means that by default an app pool doesn't have access to network drive, which is how it should be.
What can I do so that my first app pool has access to network drive.
Note:- Giving permission to app pool to access the network drive is not an option. We only have read access to the network drive.
We actually found a temporary solution (might be the only one). We changed the app pool's identity to be the server user. Since the server user had access to network drive, the app pool and applications under it has the same access as the server user.
It might have some security flaws, but we are running intranet applications, so it might be ok.
Related
I have a requirement to create and save file from web application hosted in Azure App Service (ASE, Linux) to Network share on-premise. Network share already exists and is being written to by applications which I don't have control over. App Service is blocking ports so I can't write to network share directly. Assuming Azure to On premise connection is configured correctly what options do I have?
I have application that is hosted on Windows Server 2008 R2. Application is running under IIS Application Pool Identity. When i try to import some xml file through application to network shared folder (which is on windows server 2003) i have a message "Acces is denied to....".
I know i can fix this by having same user on both machines, and running application pool with that user instead of Application Pool Identity, but that's not ok for me :(
I also gave all sorts of permisions to all sorts of users (IIS_USRS IIS AppPool*Application Pool Name*, etc..) but nothing helped.
MY QUESTION :
Is it possible to write in network shared folder (on windows server 2003 without IIS - file server) through application which is running unser IIS Application Pool Identity ?
THANKS IN ADVANCE !!!!
When using the built-in application pool identity, any calls across the network are made using the computer account. You should be able to assign the computer account rights to the network share and NTFS to accomplish this.
I just read something that said it's much better to use integrated security here on SO, so I've switched all my connection strings over.
The error I get is "Login failed for user 'IIS APPPOOL\DefaultAppPool'."
Before I go ahead and grant this user permission, I wanted to ensure that it was the correct thing to do and I wasn't inadvertently opening the floodgates of hacker hell.
Should I grant this app pool permission to access my SQL or should I create a new app pool?
I'm writing WCF services in .NET 4.5
Do you have other sites or services on the server that use this app pool and could potentially provide a security risk for database access? If yes, create a new app pool. Do you have another site that might cause the app pool process to crash, or might have a memory leak (thus affecting other sites in the same app pool)? If yes, create a new app pool.
Other than slightly more memory usage, app pool isolation really doesn't have any serious downsides. Microsoft "generally" recommends it (although this article is about SharePoint setup, the app pool / database access concept is the same):
You need to establish which Application Pool in IIS is going to be used by the IIS Web Site. Application Pools in IIS access resources on behalf of the Web Site using an account identity that you specify. This Application Pool will be used by the web application to access its content database. Generally, you’ll want to create a new one to keep it separate from the existing Application Pools.
See this thread for some additional discussion of the pros and cons of separate app pools per site.
I was recently cleaning up my file system and observed that there were few users, which I never created directly, in the c:\users* directory. This is supposed to have all those users which was created/logged in on local machines. I observed that these usernames are same as the name of Application Pools I have created in the IIS.
To confirm I created a new Application Pool in IIS and then observed this directory. Still it was not there. Later I created a new web site, assigned this application pool and accessed that website from browser, and then I see a new user profile with the name of the new application pool.
Question is - Why does it create a user profile for every IIS Application Pool? Is it absolutely necessary to have, and can it be configured for not creating? Will there be any downside? I do not remember to have seen this in earlier IIS i.e. 6.0.
My environment - Windows 7 64 Bit, IIS 7.5
I tried to google, but most links tell me how to configure User/Identity with app pool and stuff, but nothing specific about these questions.
This behaviour is because of the new security model starting with IIS 7.
Application Pool Identities started with IIS 7
Application Pool Identities allow you to run Application Pools under a unique account without having to create and manage domain or local accounts. The name of the Application Pool account corresponds to the name of the Application Pool.
- Application Pool Identities (2009)
The main reason is security, each application pool is isolated from each other.
LoadUserProfile=true Creates the User Profile Folder
From experimenting on my machine I believe this setting is responsible for the folders being created.
Having LoadUserProfile set to true means that IIS will load the user profile for the application pool identity. This happens when the application is actually spun up, you can test this by creating a new app pool and if the setting is false, no new folders should be created under C:\Users when you hit the web site for the first time.
- IIS Documentation
According to the documentation LoadUserProfile should be false by default, although I have noticed that on Win 7 machines it might be set to true instead. You can change this default via the IIS gui:
Everything I've found via search on this talks about Read/Write for local drives only (typically C) and what I am having trouble with is getting the same Read/Write access for an application pool to a non-local drive, specifically a share on the file server.
We've set the Application pool to run the anonymous user under a domain account that we have explicitly verified has full control of the file share and yet the web app that use the application pool is unable to access this non-local share. It can however access a local copy of the shared folder if we copy the folder from the file server to the local drive.
This is a third party app and we'eve followed all the instructions from the vendor and so far this is unresolved. Their support is looking at this but I don't believe they have any idea on what's wrong. This same web app works fine with the same file server share when the web app is running under IIS6 on another sever so its something with IIS7.5. I figure its got to be something particular to IIS7.5 that is not in IIS6 that is the key.
Ideas?
FYI - The application pool is already set to classic mode.
I think that you will have to see the permission that you have. In iss7.5 you have the aplication pool running with an account, It can be a ApplicationpoolIdnetity, or a real one. if you want to access the share the application pool identity has to have rights to do so, or you can impersonate a user and then use the permission that user has to copy to the shared folder, i prefere to use the impersonate, only when is necessary i do the impersonate and do whatever i most do.