I am using Windows 7 and set up the permissions for "IIS AppPool\DefaultAppPool" to have "Full Control" over my web app. I still keep getting FileIOPermission errors. When I switched the App Pool to use Network Services everything worked like a charm.
Any thoughts on why a web app running in Full Trust with Full Control granted for the DefaultAppPool would still be throwing FileIOPermission errors?
Note: I have tried setting the permissions with both the GUI and the icacls command. In both, full control was granted. Keep getting the following error when I do not use Network Services:
System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
When your question has been sufficiently answered, please be sure to mark your question as answered. Also, please share your solution if you had to figure it out on your own!
I found this thread after experiencing the same ApplicationPoolIdentity authentication problems described by the original poster (IIS 7.5 on Windows 7). Someone called it "a limitation of the object picker" which sounds like a nice way of saying the Windows/IIS
team let this out the door half-baked. I was just about to use the "Network Service" identity instead but will give icacls as try and see if I can get the ApplicationPoolIdentity to work...
I just found an easy solution to this problem that does not involve using the NetworkService as the account to run the AppPool.
I have applied this solution to my 2008R2 using IIS7.5 (using IIS6Compatibility mode and the local SMTP server Feature installed and all ASP AppPools running in 32bit mode); I have not tested this outside of that environment, so your mileage may vary.
let me preface by saying, this issue didnt happen when the AppPool was running as NetworkService, only when using ApplicationPoolIdentity. The reason for this is explained below.
In 2008/IIS7+ the ApplicationPoolIdentity accounts are hidden accounts that have dynamically assigned SID's (created and assigned when the ApplicationPool is started). But the accounts live as (hidden) users under the IIS_IUSRS group on the local machine
(this makes giving them permissions to the AppPools pretty easy, since you can use the normal GUI interface for perms or use scripts while specifying the local user group).
Give Read/Write permissions for the IIS_IUSRS group to the folder (permissions will inherit down to all folders).
Hope this helps all the other people who found this thread.
You have to start the application pool at least once in order for the IIS AppPool\<YourAppPoolName> identity to be available for either object picker or icacls.
More importantly:
Using the IIS_IUSRS group for permissions defeats the whole purpose of the Application Pool identities. The identities are for separation of different applications. You can permission one application on database Xyz, and other IIS application won't have access
to it. I think this is an important point to make. If you use the group as a hack, ANY application will have access to the resource (either a db or file system artifacts), because any member of the group (each application pool identity) will be permissioned
What if its SQL server that isn't giving you access?
I'm getting this error: System.Data.EntityException: The underlying provider failed on Open. ---> System.Data.SqlClient.SqlException: Login failed for user 'IIS APPPOOL\ASP.NET v4.0'.
It should be as easy as adding a new login 'IIS AppPool\ASP.NET v4.0' in SQL Server Management Studio or using some script like
CREATE
LOGIN
[IIS AppPool\ASP.NET v4.0]
FROM
WINDOWS
(Edit: Maybe you also want to give that user appropriate permissons on the databases / database-objects
he's supposed to interact with.)
(Edit2: This was under the assumption, that the SQL Server is on the same machine as IIS. Which, thinking about it, is a quite unreasonable assumption in general. If SQL
Server and IIS are running on different machines, I'd think you would have to use some account which is known to both of them, and not local to the IIS-machine.)
i am running windows server 2008 r2 standard. i was unable to give DefaultAppPool permissions to an .mdb file using the GUI. i was able to do it with icacls. however, the web application still could not write to the database. i tried using the iis_iusrs group
as well, but writing to the database was still denied. finally, i gave the IUSR account modify permissions and it worked. any ideas why i'm having to do this and how i can make my installation of iis 7 work the recommended way?
Khyalis
4 Posts
Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7
Oct 27, 2009 05:33 PM|LINK
I just retried with Vista SP2 / IIS7.0, and what recently worked well with Windows 7 / IIS7.5 just wouldn't.
Edit: Oh noez, starting a reply and leaving it sitting around for extensive periods of time will lead into obsoleteness. :-)
RemcoRos
2 Posts
Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7
Oct 27, 2009 07:44 PM|LINK
The nice thing is I learned to use icacls now :)
Sweeperq
7 Posts
Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7
Jan 14, 2010 06:04 AM|LINK
I am using Windows 7 and set up the permissions for "IIS AppPool\DefaultAppPool" to have "Full Control" over my web app. I still keep getting FileIOPermission errors. When I switched the App Pool to use Network Services everything worked like a charm.
Any thoughts on why a web app running in Full Trust with Full Control granted for the DefaultAppPool would still be throwing FileIOPermission errors?
Note: I have tried setting the permissions with both the GUI and the icacls command. In both, full control was granted. Keep getting the following error when I do not use Network Services:
System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
deko
3 Posts
Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7
Apr 11, 2010 06:23 PM|LINK
I found this thread after experiencing the same ApplicationPoolIdentity authentication problems described by the original poster (IIS 7.5 on Windows 7). Someone called it "a limitation of the object picker" which sounds like a nice way of saying the Windows/IIS team let this out the door half-baked. I was just about to use the "Network Service" identity instead but will give icacls as try and see if I can get the ApplicationPoolIdentity to work...
Authentication ApplicationPoolIdentity
jgovednik
9 Posts
Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7
May 10, 2010 05:57 PM|LINK
I just found an easy solution to this problem that does not involve using the NetworkService as the account to run the AppPool.
I have applied this solution to my 2008R2 using IIS7.5 (using IIS6Compatibility mode and the local SMTP server Feature installed and all ASP AppPools running in 32bit mode); I have not tested this outside of that environment, so your mileage may vary.
let me preface by saying, this issue didnt happen when the AppPool was running as NetworkService, only when using ApplicationPoolIdentity. The reason for this is explained below.
In 2008/IIS7+ the ApplicationPoolIdentity accounts are hidden accounts that have dynamically assigned SID's (created and assigned when the ApplicationPool is started). But the accounts live as (hidden) users under the IIS_IUSRS group on the local machine (this makes giving them permissions to the AppPools pretty easy, since you can use the normal GUI interface for perms or use scripts while specifying the local user group).
Hope this helps all the other people who found this thread.
Application Pool Identity IIS 7
danielLo
1 Post
Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7
Jun 04, 2010 08:17 AM|LINK
More importantly:
Using the IIS_IUSRS group for permissions defeats the whole purpose of the Application Pool identities. The identities are for separation of different applications. You can permission one application on database Xyz, and other IIS application won't have access to it. I think this is an important point to make. If you use the group as a hack, ANY application will have access to the resource (either a db or file system artifacts), because any member of the group (each application pool identity) will be permissioned
pyousefi
1 Post
Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7
Jun 16, 2010 08:53 PM|LINK
What if its SQL server that isn't giving you access?
I'm getting this error: System.Data.EntityException: The underlying provider failed on Open. ---> System.Data.SqlClient.SqlException: Login failed for user 'IIS APPPOOL\ASP.NET v4.0'.
Khyalis
4 Posts
Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7
Jun 17, 2010 07:50 AM|LINK
CREATE
LOGIN [IIS AppPool\ASP.NET v4.0] FROM WINDOWS(Edit: Maybe you also want to give that user appropriate permissons on the databases / database-objects he's supposed to interact with.)
(Edit2: This was under the assumption, that the SQL Server is on the same machine as IIS. Which, thinking about it, is a quite unreasonable assumption in general. If SQL Server and IIS are running on different machines, I'd think you would have to use some account which is known to both of them, and not local to the IIS-machine.)
lextm
4503 Posts
Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7
Jun 17, 2010 01:24 PM|LINK
It is highly not recommended to grant application pool identity permissions on database.
MSDN has two approaches listed for ASP.NET beginners,
http://msdn.microsoft.com/en-us/library/ms998300.aspx
http://msdn.microsoft.com/en-us/library/ms998292.aspx
Regards,
http://lextm.com
---------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
ewookie
1 Post
Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7
Sep 29, 2010 08:04 PM|LINK