I've read some information about the new identity model for IIS 7.5 and it seems really cool, the identity on-the-fly and SID injection is neat. But either I am doing something very stupid, or something else. My problem is I need to grant write access to
the folder where the application lives for the Windows ACL, so I have my application pool named "DefaultAppPool". When I hit the application and look in task manager, I can see that the w3wp is running as "DefaultAppPool".
However, when I go to grant DefaultAppPool write access to the directory, Windows always complains it cannot find the user. I've tried:
The first one says the account doesn't exist. The second one says "The following object is not from a domain listed in the Select Location dialog box, and therefore is not valid"
Well that makes sense since I am not on a domain, and there is no domain called IIS APPPOOL.
Yes I can, and that seemed to work just great. I suppose that is an oddity of the Beta release - you can't do that through the GUI. Why didn't I think of that!
My coworker just got 7 installed on his Desktop the other day, and we ran into the same problem when trying to set up permissions. Either it's not an oddity of the Beta release, or we didn't take something into consideration which we should have, in which
case we'd be glad to take hints as to where we are wrong.
Running into the same problem here: Win2k8/IIS 7.0 Can't set the ACL from the GUI, get the same "The following object is not from a domain listed in the Select Location dialog box, and is therefore not valid:" error. Bug?
When you are in Select Users or Groups dialog, please make sure you select the machine name for Locations and have Built-in security principals selected for Object Types.
Only if you have the above settings you can find pool identities such as IIS APPPOOL\DefaultAppPool
Therefore, this is not a bug.
Regards,
Lex Li
http://lextm.com
---------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
Apparently when we set the local machine name as location we didn't use the "IIS AppPool" prefix, and when we used the prefix, we forgot to set the Location.
We have the exact same problem here. It works like a charm in Windows Server 2008 R2 / IIS 7.5, but not in 2008 SP2 / IIS 7.0.
In 2008 R2 I can use the GUI to set file acls for "IIS AppPool\<app pool name>" but in 2008 the user can't be found. I've tried on several different servers.
Location is the local computer and Built-in security principals is checked under Objects.
This is unfortunately a limitation of the object picker on ws08/vista - as several people have discovered it already, you can still manipulate the ACL for the app-pool identity using command line tools like icacls.
Anil Ruia
Software Design Engineer
IIS Core Server
vcsjones
38 Posts
Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7
Apr 07, 2009 09:40 PM|LINK
I've read some information about the new identity model for IIS 7.5 and it seems really cool, the identity on-the-fly and SID injection is neat. But either I am doing something very stupid, or something else. My problem is I need to grant write access to the folder where the application lives for the Windows ACL, so I have my application pool named "DefaultAppPool". When I hit the application and look in task manager, I can see that the w3wp is running as "DefaultAppPool".
However, when I go to grant DefaultAppPool write access to the directory, Windows always complains it cannot find the user. I've tried:
The first one says the account doesn't exist. The second one says "The following object is not from a domain listed in the Select Location dialog box, and therefore is not valid"
Well that makes sense since I am not on a domain, and there is no domain called IIS APPPOOL.
Any hints? Thanks in advance.
lextm
4490 Posts
Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7
Apr 08, 2009 01:07 AM|LINK
Can you use icacls to set permissions for IIS APPPOOL\DefaultAppPool?
http://technet.microsoft.com/en-us/library/cc753525.aspx
http://lextm.com
---------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
vcsjones
38 Posts
Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7
Apr 08, 2009 01:53 AM|LINK
Yes I can, and that seemed to work just great. I suppose that is an oddity of the Beta release - you can't do that through the GUI. Why didn't I think of that!
Thanks!
Khyalis
4 Posts
Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7
Oct 22, 2009 11:25 AM|LINK
Hi.
My coworker just got 7 installed on his Desktop the other day, and we ran into the same problem when trying to set up permissions. Either it's not an oddity of the Beta release, or we didn't take something into consideration which we should have, in which case we'd be glad to take hints as to where we are wrong.
Thanks you.
CoderX
1 Post
Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7
Oct 23, 2009 07:01 PM|LINK
lextm
4490 Posts
Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7
Oct 26, 2009 03:56 AM|LINK
It is easy to miss these necessary settings.
When you are in Select Users or Groups dialog, please make sure you select the machine name for Locations and have Built-in security principals selected for Object Types.
Only if you have the above settings you can find pool identities such as IIS APPPOOL\DefaultAppPool
Therefore, this is not a bug.
Regards,
http://lextm.com
---------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
Khyalis
4 Posts
Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7
Oct 26, 2009 02:14 PM|LINK
Hello.
Your suggestion helped us a lot.
Apparently when we set the local machine name as location we didn't use the "IIS AppPool" prefix, and when we used the prefix, we forgot to set the Location.
But fortunately there is you.
Thanks a lot
RemcoRos
2 Posts
Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7
Oct 27, 2009 12:03 PM|LINK
I'm running into this issue too (Windows 2008 / IIS 7.0).
I tried the suggestions above, but it doesn't work.
When using 'search' in the permissions GUI, none of the built-in IIS AppPool security principles are found.
When specifing IIS AppPool\AppPoolName it says it cannot find the user/role/principle.
It seems the folder/file Permission GUI does not support IIS AppPool built-in principles... is that correct?
I can however modify permissions using isacls.
blackburn_
4 Posts
Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7
Oct 27, 2009 03:21 PM|LINK
We have the exact same problem here. It works like a charm in Windows Server 2008 R2 / IIS 7.5, but not in 2008 SP2 / IIS 7.0.
In 2008 R2 I can use the GUI to set file acls for "IIS AppPool\<app pool name>" but in 2008 the user can't be found. I've tried on several different servers.
Location is the local computer and Built-in security principals is checked under Objects.
anilr
2343 Posts
Microsoft
Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7
Oct 27, 2009 05:27 PM|LINK
This is unfortunately a limitation of the object picker on ws08/vista - as several people have discovered it already, you can still manipulate the ACL for the app-pool identity using command line tools like icacls.
Software Design Engineer
IIS Core Server