IIS 7 & IIS 8
Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7
Last post Sep 18, 2012 05:04 PM by russmichaels
Apr 07, 2009 09:40 PM|LINK
I've read some information about the new identity model for IIS 7.5 and it seems really cool, the identity on-the-fly and SID injection is neat. But either I am doing something very stupid, or something else. My problem is I need to grant write access to
the folder where the application lives for the Windows ACL, so I have my application pool named "DefaultAppPool". When I hit the application and look in task manager, I can see that the w3wp is running as "DefaultAppPool".
However, when I go to grant DefaultAppPool write access to the directory, Windows always complains it cannot find the user. I've tried:
The first one says the account doesn't exist. The second one says "The following object is not from a domain listed in the Select Location dialog box, and therefore is not valid"
Well that makes sense since I am not on a domain, and there is no domain called IIS APPPOOL.
Any hints? Thanks in advance.
Apr 08, 2009 01:07 AM|LINK
Can you use icacls to set permissions for IIS APPPOOL\DefaultAppPool?
Apr 08, 2009 01:53 AM|LINK
Yes I can, and that seemed to work just great. I suppose that is an oddity of the Beta release - you can't do that through the GUI. Why didn't I think of that!
Oct 22, 2009 11:25 AM|LINK
My coworker just got 7 installed on his Desktop the other day, and we ran into the same problem when trying to set up permissions. Either it's not an oddity of the Beta release, or we didn't take something into consideration which we should have, in which
case we'd be glad to take hints as to where we are wrong.
Oct 23, 2009 07:01 PM|LINK
Oct 26, 2009 03:56 AM|LINK
It is easy to miss these necessary settings.
When you are in Select Users or Groups dialog, please make sure you select the machine name for Locations and have Built-in security principals selected for Object Types.
Only if you have the above settings you can find pool identities such as IIS APPPOOL\DefaultAppPool
Therefore, this is not a bug.
Oct 26, 2009 02:14 PM|LINK
Your suggestion helped us a lot.
Apparently when we set the local machine name as location we didn't use the "IIS AppPool" prefix, and when we used the prefix, we forgot to set the Location.
But fortunately there is you.
Thanks a lot
Oct 27, 2009 12:03 PM|LINK
I'm running into this issue too (Windows 2008 / IIS 7.0).
I tried the suggestions above, but it doesn't work.
When using 'search' in the permissions GUI, none of the built-in IIS AppPool security principles are found.
When specifing IIS AppPool\AppPoolName it says it cannot find the user/role/principle.
It seems the folder/file Permission GUI does not support IIS AppPool built-in principles... is that correct?
I can however modify permissions using isacls.
Oct 27, 2009 03:21 PM|LINK
We have the exact same problem here. It works like a charm in Windows Server 2008 R2 / IIS 7.5, but not in 2008 SP2 / IIS 7.0.
In 2008 R2 I can use the GUI to set file acls for "IIS AppPool\<app pool name>" but in 2008 the user can't be found. I've tried on several different servers.
Location is the local computer and Built-in security principals is checked under Objects.
Oct 27, 2009 05:27 PM|LINK
This is unfortunately a limitation of the object picker on ws08/vista - as several people have discovered it already, you can still manipulate the ACL for the app-pool identity using command line tools like icacls.