IIS 7 & IIS 8
Authorization Cannot verify access to path..
Last post Apr 04, 2012 02:46 AM by qbernard
Mar 03, 2011 06:08 PM|LINK
Sorry, I don't understand.!? The original problem stated, and that I had, was:
"The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read
access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that <domain>\<computer_name>$ has Read access to the physical path. ...."
Thank you for the link you gave, it confirmed to me what I think I understand about the issue, "With IIS7, we've chosen a more secure default and now load user profile by default for all application pools. Unfortunately, the temporary directory underneath
the user directory (... for the default NetworkService identity we use for DefaultAppPool) is not writable by anyone other than NetworkService by default. The other less favorable workaround is to disable the loadUserProfile setting on a per-appPool basis.
loadUserProfile is a boolean property on an AppPool section, and can easily be set ..."
As my issue, " IIS Manager cannot verify whether the built-in account has access" was resolved by, "7) Under 'Process Model' in the resulting dialog change 'Load User Profile' to "True"" from my previous post, I take it that I am now granting authorization
to access the entire "Pool" of applications as 'BillS IIS Blog' that you turned me on to states with, "... load user profile by default
for all application pools."
I think that I now understand that MS was "saving" me from myself by setting 'Load User Profile' to "False", preventing "unauthorized" access to the application within the app pool because I added a Login function to an added protected area. MS was protecting
the entire app pool, not just the designated area. Bill's IIS Blog says, "... load user profile by default for all application pools" but I found mine turned off. I turned it back on and the original error, " IIS Manager cannot verify whether the built-in
account has access" went away.
I think it does answer your last post, "Still trying to related this to the origina question - authorization issue."
Mar 04, 2011 01:36 AM|LINK
Mm.... the authorization error is normal when you configured built-in acc as the app pool id, this can only be verified during runtime.
Now, when you turn it off, this will behave like IIS 6 with no 'user specific' profile loaded. make sense?
Mar 04, 2011 01:08 PM|LINK
"... when you turn it off ..." I did not intentionally / knowingly "turn it off".
I have created ten or eleven web-based applications, most running against SQL Server 2008 databases employing 'ConnectionStrings' in the root web.config that I "Published" to my test environment IIS v7. They all ran just fine. I then ported to production
on IIS v5.2. They all ran just fine.
When I set up a 'Login' scenario with some folders / files / areas restricted by 'Users' and 'Access Rules' created with the ASP.net Web Site Administration Tool and no 'ConnectionStrings' in the root web.config, I got the error, "IIS Manager cannot verify
whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path."
I found this Forum, tried several things suggested here such as hard-coding "Data Source=.\SQLEXPRESS;AttachDbFilename=..." and nothing worked for me until I followed up on the answer Manoj Gupta gave.
When I figured out which "Pool" my application was in, the one with ten applications, I found that under 'Process Model' the 'Load User Profile' was set to "False". Setting it to "True" resolved my problem. I did not have to hard-code a ConnectionString
or set folders to have permissions from inheritance or any of the other remedies I had tried and then subsequently un-did because they had not worked.
None of the other nine or ten applications were affected at all by the 'Load User Profile' boole setting as far as I can tell.
Mar 10, 2011 01:18 AM|LINK
Ok, I did a quick check on my w2k8 r2 x64 machine, it looks like MS change it again :)
here's what I can remembered vista - false, vista sp1/2 - true, win7 - true, w2k8 true, then w2k8 r2 - false :)
I have yet to see any offical doc about these changes, but this is what I remembered and tested so far. so I was wrong to say that win7 above all true by default for the LoadUserProfile setting.
For your app, obviously it works with setting it to true. Still trying to figureout the relationship with your connectinonstring :)
Jul 19, 2011 01:56 PM|LINK
Here is a good answer:
Jul 20, 2011 03:12 AM|LINK
This is not recommended - adding admin user for any access could lead to potential risk.
You should understand the app requirement then assign account with the least privileges possible.
Mar 31, 2012 05:23 PM|LINK
Apr 02, 2012 06:18 AM|LINK
what IIS version you using? R2 and windows 8 should be able to do it via GUI,
else use - -> ICACLS welcome.png /grant "IIS AppPool\YourAppPool":WRX
Apr 02, 2012 06:48 AM|LINK
Apr 04, 2012 02:46 AM|LINK
That's just a sample syntax, you can /grant to specify directory etc... Google more for icacls.exe syntax.
For R2, you should be able to do it via Windows Explorer UI. Just type it in the "Select User or Group" field.. IIS APPPOOL\YourAppPool