Home > Forums > IIS 7 > IIS7 - Security > Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

Thread: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

Last post 10-27-2009 3:44 PM by remcoros. 11 replies.

Average Rating Rate It (5)Thank you for the rating!

RSS

Page 1 of 1 (12 items)

Sort Posts:

Shortcuts

Search | Active Posts | Unanswered Posts | View all users

04-07-2009, 5:40 PM

vcsjones
Joined on 04-18-2006, 8:53 PM
Falls Church, VA
Posts 38

Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

Reply Contact

I've read some information about the new identity model for IIS 7.5 and it seems really cool, the identity on-the-fly and SID injection is neat. But either I am doing something very stupid, or something else. My problem is I need to grant write access to the folder where the application lives for the Windows ACL, so I have my application pool named "DefaultAppPool". When I hit the application and look in task manager, I can see that the w3wp is running as "DefaultAppPool".

However, when I go to grant DefaultAppPool write access to the directory, Windows always complains it cannot find the user. I've tried:

DefaultAppPool
IIS APPPOOL\DefaultAppPool

The first one says the account doesn't exist. The second one says "The following object is not from a domain listed in the Select Location dialog box, and therefore is not valid"

Well that makes sense since I am not on a domain, and there is no domain called IIS APPPOOL.

Any hints? Thanks in advance.

Cheers,

Kevin Jones

My Blog

04-07-2009, 9:07 PM In reply to

lextm
Joined on 10-22-2008, 12:18 AM
Shanghai, PRC
Posts 1,433

Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

Reply Contact

Can you use icacls to set permissions for IIS APPPOOL\DefaultAppPool?

http://technet.microsoft.com/en-us/library/cc753525.aspx

Lex Li
Support Engineer at Microsoft
---------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.

04-07-2009, 9:53 PM In reply to

vcsjones
Joined on 04-18-2006, 8:53 PM
Falls Church, VA
Posts 38

Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

Reply Contact

Yes I can, and that seemed to work just great. I suppose that is an oddity of the Beta release - you can't do that through the GUI. Why didn't I think of that!

Thanks!

Cheers,

Kevin Jones

My Blog

10-22-2009, 7:25 AM In reply to

Khyalis
Joined on 07-28-2009, 4:44 PM
Posts 3

Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

Reply Contact

Hi.

My coworker just got 7 installed on his Desktop the other day, and we ran into the same problem when trying to set up permissions. Either it's not an oddity of the Beta release, or we didn't take something into consideration which we should have, in which case we'd be glad to take hints as to where we are wrong.

Thanks you.

10-23-2009, 3:01 PM In reply to

CoderX
Joined on 04-09-2008, 7:17 PM
Posts 1

Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

Reply Contact

Running into the same problem here: Win2k8/IIS 7.0 Can't set the ACL from the GUI, get the same "The following object is not from a domain listed in the Select Location dialog box, and is therefore not valid:" error. Bug?

10-25-2009, 11:56 PM In reply to

lextm
Joined on 10-22-2008, 12:18 AM
Shanghai, PRC
Posts 1,433

Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

Reply Contact

It is easy to miss these necessary settings.

When you are in Select Users or Groups dialog, please make sure you select the machine name for Locations and have Built-in security principals selected for Object Types.

Only if you have the above settings you can find pool identities such as IIS APPPOOL\DefaultAppPool

Therefore, this is not a bug.

Regards,

Lex Li
Support Engineer at Microsoft
---------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.

10-26-2009, 10:14 AM In reply to

Khyalis
Joined on 07-28-2009, 4:44 PM
Posts 3

Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

Reply Contact

Hello.

Your suggestion helped us a lot.

Apparently when we set the local machine name as location we didn't use the "IIS AppPool" prefix, and when we used the prefix, we forgot to set the Location.

But fortunately there is you.

Thanks a lot

10-27-2009, 8:03 AM In reply to

remcoros
Joined on 03-05-2008, 3:00 PM
Netherlands
Posts 2

Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

Reply Contact

I'm running into this issue too (Windows 2008 / IIS 7.0).

I tried the suggestions above, but it doesn't work.

When using 'search' in the permissions GUI, none of the built-in IIS AppPool security principles are found.

When specifing IIS AppPool\AppPoolName it says it cannot find the user/role/principle.

It seems the folder/file Permission GUI does not support IIS AppPool built-in principles... is that correct?

I can however modify permissions using isacls.

10-27-2009, 11:21 AM In reply to

blackburn_
Joined on 10-27-2009, 3:17 PM
Posts 3

Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

Reply Contact

We have the exact same problem here. It works like a charm in Windows Server 2008 R2 / IIS 7.5, but not in 2008 SP2 / IIS 7.0.

In 2008 R2 I can use the GUI to set file acls for "IIS AppPool\<app pool name>" but in 2008 the user can't be found. I've tried on several different servers.

Location is the local computer and Built-in security principals is checked under Objects.

10-27-2009, 1:27 PM In reply to

anilr
Joined on 05-23-2006, 10:13 PM
Redmond, WA
Posts 2,343

Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

Reply Contact

This is unfortunately a limitation of the object picker on ws08/vista - as several people have discovered it already, you can still manipulate the ACL for the app-pool identity using command line tools like icacls.

Anil Ruia
Senior Software Design Engineer
IIS Core Server