Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7 [Answered]RSS

34 replies

Last post Sep 18, 2012 01:04 PM by russmichaels

  • Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Apr 07, 2009 05:40 PM|vcsjones|LINK

    I've read some information about the new identity model for IIS 7.5 and it seems really cool, the identity on-the-fly and SID injection is neat. But either I am doing something very stupid, or something else. My problem is I need to grant write access to the folder where the application lives for the Windows ACL, so I have my application pool named "DefaultAppPool". When I hit the application and look in task manager, I can see that the w3wp is running as "DefaultAppPool".

    However, when I go to grant DefaultAppPool write access to the directory, Windows always complains it cannot find the user. I've tried:

    • <div mce_keep="true">DefaultAppPool</div>
    • <div mce_keep="true">IIS APPPOOL\DefaultAppPool</div>

    The first one says the account doesn't exist. The second one says "The following object is not from a domain listed in the Select Location dialog box, and therefore is not valid"

    Well that makes sense since I am not on a domain, and there is no domain called IIS APPPOOL.

    Any hints? Thanks in advance.


  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Apr 07, 2009 09:07 PM|lextm|LINK

    Can you use icacls to set permissions for IIS APPPOOL\DefaultAppPool?

    http://technet.microsoft.com/en-us/library/cc753525.aspx

    Lex Li
    Affordable IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Apr 07, 2009 09:53 PM|vcsjones|LINK

     Yes I can, and that seemed to work just great. I suppose that is an oddity of the Beta release - you can't do that through the GUI. Why didn't I think of that!

     Thanks!


  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Oct 22, 2009 07:25 AM|Khyalis|LINK

    Hi. 

    My coworker just got 7 installed on his Desktop the other day, and we ran into the same problem when trying to set up permissions. Either it's not an oddity of the Beta release, or we didn't take something into consideration which we should have, in which case we'd be glad to take hints as to where we are wrong.

    Thanks you.

  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Oct 23, 2009 03:01 PM|CoderX|LINK

    Running into the same problem here: Win2k8/IIS 7.0 Can't set the ACL from the GUI, get the same "The following object is not from a domain listed in the Select Location dialog box, and is therefore not valid:" error. Bug?
  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Oct 25, 2009 11:56 PM|lextm|LINK

    It is easy to miss these necessary settings.

    When you are in Select Users or Groups dialog, please make sure you select the machine name for Locations and have Built-in security principals selected for Object Types.

    Only if you have the above settings you can find pool identities such as IIS APPPOOL\DefaultAppPool

    Therefore, this is not a bug.

    Regards,

    Lex Li
    Affordable IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Oct 26, 2009 10:14 AM|Khyalis|LINK

    Hello. 

    Your suggestion helped us a lot.

    Apparently when we set the local machine name as location we didn't use the "IIS AppPool" prefix, and when we used the prefix, we forgot to set the Location.

    But fortunately there is you.

    Thanks a lot

  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Oct 27, 2009 08:03 AM|RemcoRos|LINK

     I'm running into this issue too (Windows 2008 / IIS 7.0).

    I tried the suggestions above, but it doesn't work.

    When using 'search' in the permissions GUI, none of the built-in IIS AppPool security principles are found.

    When specifing IIS AppPool\AppPoolName it says it cannot find the user/role/principle.

    It seems the folder/file Permission GUI does not support IIS AppPool built-in principles... is that correct?

    I can however modify permissions using isacls.

  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Oct 27, 2009 11:21 AM|blackburn_|LINK

    We have the exact same problem here. It works like a charm in Windows Server 2008 R2 / IIS 7.5, but not in 2008 SP2 / IIS 7.0.

    In 2008 R2 I can use the GUI to set file acls for "IIS AppPool\<app pool name>" but in 2008 the user can't be found. I've tried on several different servers.

    Location is the local computer and Built-in security principals is checked under Objects.

     

     

  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Oct 27, 2009 01:27 PM|anilr|LINK

    This is unfortunately a limitation of the object picker on ws08/vista - as several people have discovered it already, you can still manipulate the ACL for the app-pool identity using command line tools like icacls.

    Anil Ruia
    Software Design Engineer
    IIS Core Server
  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Oct 27, 2009 01:33 PM|Khyalis|LINK

    I just retried with Vista SP2 / IIS7.0, and what recently worked well with Windows 7 / IIS7.5 just wouldn't.

    Edit: Oh noez, starting a reply and leaving it sitting around for extensive periods of time will lead into obsoleteness.  :-)

  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Oct 27, 2009 03:44 PM|RemcoRos|LINK

    The nice thing is I learned to use icacls now :)

  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Jan 14, 2010 02:04 AM|Sweeperq|LINK

    I am using Windows 7 and set up the permissions for "IIS AppPool\DefaultAppPool" to have "Full Control" over my web app.  I still keep getting FileIOPermission errors.  When I switched the App Pool to use Network Services everything worked like a charm.

    Any thoughts on why a web app running in Full Trust with Full Control granted for the DefaultAppPool would still be throwing FileIOPermission errors?

    Note: I have tried setting the permissions with both the GUI and the icacls command. In both, full control was granted. Keep getting the following error when I do not use Network Services:

    System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

    When your question has been sufficiently answered, please be sure to mark your question as answered. Also, please share your solution if you had to figure it out on your own!
  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Apr 11, 2010 02:23 PM|deko|LINK

    I found this thread after experiencing the same ApplicationPoolIdentity authentication problems described by the original poster (IIS 7.5 on Windows 7).  Someone called it "a limitation of the object picker" which sounds like a nice way of saying the Windows/IIS team let this out the door half-baked. I was just about to use the "Network Service" identity instead but will give icacls as try and see if I can get the ApplicationPoolIdentity to work...

    Authentication ApplicationPoolIdentity

  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    May 10, 2010 01:57 PM|jgovednik|LINK

    I just found an easy solution to this problem that does not involve using the NetworkService as the account to run the AppPool.

    I have applied this solution to my 2008R2 using IIS7.5 (using IIS6Compatibility mode and the local SMTP server Feature installed and all ASP AppPools running in 32bit mode); I have not tested this outside of that environment, so your mileage may vary.

    let me preface by saying, this issue didnt happen when the AppPool was running as NetworkService, only when using ApplicationPoolIdentity. The reason for this is explained below.

     

    In 2008/IIS7+ the ApplicationPoolIdentity accounts are hidden accounts that have dynamically assigned SID's (created and assigned when the ApplicationPool is started). But the accounts live as (hidden) users under the IIS_IUSRS group on the local machine (this makes giving them permissions to the AppPools pretty easy, since you can use the normal GUI interface for perms or use scripts while specifying the local user group).

    • Give Read/Write permissions for the IIS_IUSRS group to the folder (permissions will inherit down to all folders).

    Hope this helps all the other people who found this thread.

    Application Pool Identity IIS 7

  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Jun 04, 2010 04:17 AM|danielLo|LINK

    You have to start the application pool at least once in order for the IIS AppPool\<YourAppPoolName> identity to be available for either object picker or icacls.

    More importantly:
    Using the IIS_IUSRS group for permissions defeats the whole purpose of the Application Pool identities. The identities are for separation of different applications. You can permission one application on database Xyz, and other IIS application won't have access to it. I think this is an important point to make. If you use the group as a hack, ANY application will have access to the resource (either a db or file system artifacts), because any member of the group (each application pool identity) will be permissioned
  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Jun 16, 2010 04:53 PM|pyousefi|LINK

     What if its SQL server that isn't giving you access?

    I'm getting this error:  System.Data.EntityException: The underlying provider failed on Open. ---> System.Data.SqlClient.SqlException: Login failed for user 'IIS APPPOOL\ASP.NET v4.0'.

  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Jun 17, 2010 03:50 AM|Khyalis|LINK

    It should be as easy as adding a new login 'IIS AppPool\ASP.NET v4.0' in SQL Server Management Studio or using some script like

    CREATE LOGIN [IIS AppPool\ASP.NET v4.0] FROM WINDOWS

    (Edit: Maybe you also want to give that user appropriate permissons on the databases / database-objects he's supposed to interact with.)

    (Edit2: This was under the assumption, that the SQL Server is on the same machine as IIS. Which, thinking about it, is a quite unreasonable assumption in general. If SQL Server and IIS are running on different machines, I'd think you would have to use some account which is known to both of them, and not local to the IIS-machine.)

  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Jun 17, 2010 09:24 AM|lextm|LINK

    It is highly not recommended to grant application pool identity permissions on database.

    MSDN has two approaches listed for ASP.NET beginners,

    http://msdn.microsoft.com/en-us/library/ms998300.aspx

    http://msdn.microsoft.com/en-us/library/ms998292.aspx

    Regards,

    Lex Li
    Affordable IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Sep 29, 2010 04:04 PM|ewookie|LINK

    i am running windows server 2008 r2 standard. i was unable to give DefaultAppPool permissions to an .mdb file using the GUI. i was able to do it with icacls. however, the web application still could not write to the database. i tried using the iis_iusrs group as well, but writing to the database was still denied. finally, i gave the IUSR account modify permissions and it worked. any ideas why i'm having to do this and how i can make my installation of iis 7 work the recommended way?
  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Oct 11, 2010 08:29 AM|mr_3ntropy|LINK

    ewookie

    i am running windows server 2008 r2 standard. i was unable to give DefaultAppPool permissions to an .mdb file using the GUI. i was able to do it with icacls. however, the web application still could not write to the database. i tried using the iis_iusrs group as well, but writing to the database was still denied. finally, i gave the IUSR account modify permissions and it worked. any ideas why i'm having to do this and how i can make my installation of iis 7 work the recommended way?
     

    Yes, its because you are not using .net, so the app runs under the security context of the anonymous user (IUSR), because in classic asp impersonation cannot be disabled.

    To make it work the "recommended" way set your anonymous identity = app pool

  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Jun 01, 2011 07:25 PM|zipswich|LINK

    I want to second what jgovednik described.

    I used to grant DefaultAppPool permissions for my ASP.net apps. Now I just grand permissions to IIS_IUSRS.  This has worked well for me so far.

    Hong
  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Jun 01, 2011 08:05 PM|steve schofield|LINK

    +1

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Jul 26, 2011 09:00 AM|sh_olsson|LINK

    Hi, I'm having problems understanding what to use when programmatically giving acess rights to a directory to an asp2 web-app. The call is to be made to Addaccessrule to create a new ACE in the ACL. How can I find a SID to supply in that call for Defaultapppool, or should I just give that as a Username? /Sven
  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Jul 26, 2011 10:50 AM|HCamper|LINK

    Hello @ sh_olsson,

    If you check IIS Net library http://www.iis.net/ConfigReference/system.applicationHost/applicationPools 

           reference for Application Pools the samples section may help.

    For general Application Pool use http://learn.iis.net/page.aspx/624/application-pool-identities/ in IIS Net library.

    Martin

     

    Windows and Linux work Together IT-Pros
    Community Member Award 2011
  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Jul 27, 2011 10:28 AM|freefallen|LINK

    IIS 7.5... I still use IIS7.0
  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Jul 27, 2011 12:00 PM|HCamper|LINK

    Hi @ freefallen,

    The information in the thread  from Lex  for ICALS commands and operation

     work with IIS Server 7.0 to manage permissions.

     http://technet.microsoft.com/en-us/library/cc753525.aspx .

    Martin

     

    Windows and Linux work Together IT-Pros
    Community Member Award 2011
  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Jul 27, 2011 01:06 PM|sh_olsson|LINK

    HCamper

    Hello @ sh_olsson,

    If you check IIS Net library http://www.iis.net/ConfigReference/system.applicationHost/applicationPools 

           reference for Application Pools the samples section may help.

    For general Application Pool use http://learn.iis.net/page.aspx/624/application-pool-identities/ in IIS Net library.

    Martin

     

    Thanks, but in the first link there is a worrying sentence: "To do so, you would set your security using the name of an application pool by using syntax like "IIS AppPool\DefaultAppPool." This identity is created dynamically, thereby dramatically reducing the surface attack area of your server"

    The word "dynamically" is ominous to me, I get the impression that if I use syntax like:

        ...FileSystemAccessRule(New NTAccount("IIS AppPool\DefaultAppPool"), FileSystemRights...

    to create en ACE in an ACL for a resource, later on, the SID-number för "IIS AppPool\DefaultAppPool" will have changed so the access rule stops working?

    Or is the SID-number stabile on that machine, for that specific name "IIS AppPool\DefaultAppPool", so I shouldn't worry about the wording "dynamic"?

    /sh

     

     

     

     

  • Re: Troubles with ApplicationPoolIdentity: -in IIS 7.5 or Windows 7 OS

    Jul 27, 2011 01:23 PM|HCamper|LINK

    Hi,

    The Topic "Troubles with ApplicationPoolIdentity" " IIS 7.5 server" or "Windows 7 operating systems"

    Your questions are important "security questions and concerns" need the best possible answers.

    Create a new post.

    TIA,

     

    Martin

     

     

     

    Windows and Linux work Together IT-Pros
    Community Member Award 2011
  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Sep 27, 2011 03:56 AM|olivier.voutat|LINK

     Have you ever found the solution to this problem? I'm having a problem very similar when trying to access an Azman Xml...

  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Sep 27, 2011 05:28 AM|HCamper|LINK

    Hi,

    The Topic "Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7"

    Your questions are important and need the best possible answers.

    Create a new post for the problems and issues.

    TIA,

    Regards,

    Martin

     

     

    Windows and Linux work Together IT-Pros
    Community Member Award 2011
  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Apr 26, 2012 08:55 AM|Rob Grainger|LINK

    lextm

    Therefore, this is not a bug.
    It may not be a bug, but its hardly well documented. I'd vote to describe this as a documentation bug - I really shouldn't have to trawl through multiple online forums to find how to do such a basic operation (most of the descriptions I read were incomplete or wrong). And this isn't the first time I've attempted to resolve it (first time I succeeded before giving up though). Thanks for the solution, it just saved me having to use "Network Service" again.
  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    May 21, 2012 03:00 AM|Tasmey|LINK

    Before you made changes to the app pools, all you probably needed to do was add read access to your physical directory for the "network service" account (that is the default account used by asp.net on vista & win7). I think what you may be looking for at this point is this: aspnet_regiis -ga The -ga switch tells aspnet_regiis to configure all the security for asp.net. Usually you only need to do this stuff when you are using impersonation in your application, but if you are changing the default user for the application pools then you are effectivly doing the same thing IIS wide. The best complete documentation I've found is on MSDN. It applies to the previous version of IIS, IIS 6, but it is pretty easy to apply it in IIS 7 environments
  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Sep 18, 2012 12:51 PM|russmichaels|LINK

    I am trying to deny default application pool access to windows folder so users/scripts cannot run exe's I have denied IIS_IUSRS, which works for dedicated app pools. But not for default app pools. I have followed this thread, but there is no such user as ApplicationPoolIdentity or IIS APPPOOL\DefaultAppPool, so I cannot deny it. I have ALL object types selected in the "select users and groups" dialog.
  • Re: Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7

    Sep 18, 2012 01:04 PM|russmichaels|LINK

    ok I managed to do it with icacls, no-one has actually shown the command here, so here it is. icacls c:\windows\system32\*.exe /deny "IIS APPPOOL/DefaultAppPool" Now if I check the permissions on any exe it shows "DefaultAppPool" is denied all access. However cgi scripts are still able to run exe's, what have I missed ? IIS_IUSRS is also denied access What does ApplicationPoolIdentity run as ?