IIS 7 and Above
Authorization Cannot verify access to path..
Last post Apr 03, 2012 10:46 PM by qbernard
May 07, 2008 04:07 AM|ruzhyn|LINK
Microsoft FTP Publishing Service for IIS 7.0
The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access
to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that <domain>\<computer_name>$ has Read access to the physical path. ....
Authorization Cannot verify access to path
May 07, 2008 08:21 AMemail@example.com|LINK
You don't tell us, but I assume you're asking how to solve the error that displays that message, correct? I assume you didn't do anything the message told you to, otherwise you would have told us, correct?
Your next course of action is to follow every suggestion in the message and tell us the results.
Jun 05, 2008 02:48 PM|xotj123|LINK
Where do I, "Make sure that the application pool identity has Read access to the physical path?"
I am new to IIS7 and any help would be appreciated.
Dec 16, 2008 12:06 PM|malcolmxu|LINK
Hi guys, I have same problem, any helps please?
Dec 20, 2008 06:12 PM|Manoj Gupta|LINK
Jan 12, 2009 08:43 AM|qbernard|LINK
Hi guys, I have same problem, any helps please?
Can you start a new thread and provide details of your setup with error msgs you getting?
Nov 18, 2010 11:16 PM|ADO_kg|LINK
Nov 22, 2010 09:46 PM|qbernard|LINK
Mar 02, 2011 03:33 PM|tagtech|LINK
"Hi, I am not an expert with IIS 7.0 ..." me too neither, but after two days using a sledgehammer against IIS V7.5.7600.16385 's "... Greek error message ..." & generally unintelligible / uninformative IBM- / MS- Speak --- I agree with the answer Manoj
Gupta gave. I'd word it differently:
1) Open IIS Manager (C:\Windows\System32\inetsrv\InetMgr.exe)
2) Expand the IIS Instance under the 'Connections' column (for me, there was only one instance)
3) Choose the 'Application Pools' selection
4) Identify the application's "Pool" (for me, there were four Pools: ASP.NET v4.0 had zero applications; ASP.NET v4.0 Classic had one application; Classic.NET AppPool had zero applications; DefaultAppPool had ten applications) by selecting whichever
"Pool" looks promising ... I chose the one with ten apps in it
5) Confirm that your application is in that "Pool" by choosing the 'View Applications' selection in the 'Actions' column or by right-mouse click
6) Go back to step 4) and choose the 'Advanced Settings...' selection in the 'Actions' column or by right-mouse click
7) Under 'Process Model' in the resulting dialog change 'Load User Profile' to "True"
8) Read the unintelligible / uninformative IBM- / MS- Speak explanation box at the bottom of the dialog box for a laugh, "When ... true, IIS loads ... Set ... false If required to be IIS 6 behavior ..."
Of course, by setting the 'Load User Profile' to "True", I made that setting for all ten applications, but I don't really know why I'd want the "... IIS 6 behavior ..." Mayhap someone who IS an "expert" can inform us all why we'd like the "... IIS 6 behavior
..." - without the unintelligible / uninformative IBM- / MS- Speak explanation, please.
Mar 02, 2011 11:19 PM|qbernard|LINK
Still trying to related this to the origina question - authorization issue.
and AFAIK, in Win7 IIS 7+ the default value is true, so are you setting it to false or true?
This is one of the security changes in Win7 above, I remembered it was false in Vista and changed to true in sp1/2. In IIS 6 regardless of what identity you use, it never load the identity user profile and with this all share the same default environment
variables such as %temp% etc. If set to true, these variables will be different.. you can google more.
Mar 03, 2011 02:08 PM|tagtech|LINK
Sorry, I don't understand.!? The original problem stated, and that I had, was:
"The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read
access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that <domain>\<computer_name>$ has Read access to the physical path. ...."
Thank you for the link you gave, it confirmed to me what I think I understand about the issue, "With IIS7, we've chosen a more secure default and now load user profile by default for all application pools. Unfortunately, the temporary directory underneath
the user directory (... for the default NetworkService identity we use for DefaultAppPool) is not writable by anyone other than NetworkService by default. The other less favorable workaround is to disable the loadUserProfile setting on a per-appPool basis.
loadUserProfile is a boolean property on an AppPool section, and can easily be set ..."
As my issue, " IIS Manager cannot verify whether the built-in account has access" was resolved by, "7) Under 'Process Model' in the resulting dialog change 'Load User Profile' to "True"" from my previous post, I take it that I am now granting authorization
to access the entire "Pool" of applications as 'BillS IIS Blog' that you turned me on to states with, "... load user profile by default
for all application pools."
I think that I now understand that MS was "saving" me from myself by setting 'Load User Profile' to "False", preventing "unauthorized" access to the application within the app pool because I added a Login function to an added protected area. MS was protecting
the entire app pool, not just the designated area. Bill's IIS Blog says, "... load user profile by default for all application pools" but I found mine turned off. I turned it back on and the original error, " IIS Manager cannot verify whether the built-in
account has access" went away.
I think it does answer your last post, "Still trying to related this to the origina question - authorization issue."
Mar 03, 2011 09:36 PM|qbernard|LINK
Mm.... the authorization error is normal when you configured built-in acc as the app pool id, this can only be verified during runtime.
Now, when you turn it off, this will behave like IIS 6 with no 'user specific' profile loaded. make sense?
Mar 04, 2011 09:08 AM|tagtech|LINK
"... when you turn it off ..." I did not intentionally / knowingly "turn it off".
I have created ten or eleven web-based applications, most running against SQL Server 2008 databases employing 'ConnectionStrings' in the root web.config that I "Published" to my test environment IIS v7. They all ran just fine. I then ported to production
on IIS v5.2. They all ran just fine.
When I set up a 'Login' scenario with some folders / files / areas restricted by 'Users' and 'Access Rules' created with the ASP.net Web Site Administration Tool and no 'ConnectionStrings' in the root web.config, I got the error, "IIS Manager cannot verify
whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path."
I found this Forum, tried several things suggested here such as hard-coding "Data Source=.\SQLEXPRESS;AttachDbFilename=..." and nothing worked for me until I followed up on the answer Manoj Gupta gave.
When I figured out which "Pool" my application was in, the one with ten applications, I found that under 'Process Model' the 'Load User Profile' was set to "False". Setting it to "True" resolved my problem. I did not have to hard-code a ConnectionString
or set folders to have permissions from inheritance or any of the other remedies I had tried and then subsequently un-did because they had not worked.
None of the other nine or ten applications were affected at all by the 'Load User Profile' boole setting as far as I can tell.
Mar 09, 2011 09:18 PM|qbernard|LINK
Ok, I did a quick check on my w2k8 r2 x64 machine, it looks like MS change it again :)
here's what I can remembered vista - false, vista sp1/2 - true, win7 - true, w2k8 true, then w2k8 r2 - false :)
I have yet to see any offical doc about these changes, but this is what I remembered and tested so far. so I was wrong to say that win7 above all true by default for the LoadUserProfile setting.
For your app, obviously it works with setting it to true. Still trying to figureout the relationship with your connectinonstring :)
Jul 19, 2011 09:56 AM|rpgivpgmr2|LINK
Here is a good answer:
Jul 19, 2011 11:12 PM|qbernard|LINK
This is not recommended - adding admin user for any access could lead to potential risk.
You should understand the app requirement then assign account with the least privileges possible.
Mar 31, 2012 01:23 PM|vincentwansink|LINK
Apr 02, 2012 02:18 AM|qbernard|LINK
what IIS version you using? R2 and windows 8 should be able to do it via GUI,
else use - -> ICACLS welcome.png /grant "IIS AppPool\YourAppPool":WRX
Apr 02, 2012 02:48 AM|vincentwansink|LINK
Apr 03, 2012 10:46 PM|qbernard|LINK
That's just a sample syntax, you can /grant to specify directory etc... Google more for icacls.exe syntax.
For R2, you should be able to do it via Windows Explorer UI. Just type it in the "Select User or Group" field.. IIS APPPOOL\YourAppPool