We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

Permissions of the Application Pool Identity [Answered]RSS

9 replies

Last post Apr 11, 2011 09:04 AM by owjeff

  • Permissions of the Application Pool Identity

    Apr 10, 2011 09:45 AM|Greg Hollywood|LINK

    It seems that there are two different identities used in running a website - the site identity, and the application pool identity.  I understand that the site identity is used so that you can give file permissions to that identity so it can access files.

    But I don't understand what permissions you would need to give the application pool identity.

    Say for example, I set the Application Pool Identity to an account, say AP_1, which is an account I created in Active Directory.  It will then run the W3WP process under that account.  Do I need to give it any futher permissions or that's it?

    I guess I don't quite understand the purpose of the application pool identity.

    Greg

  • Re: Permissions of the Application Pool Identity

    Apr 10, 2011 11:04 AM|owjeff|LINK

    The application pool identity is used for any server side code (ASP.NET, classic ASP, PHP, etc). You can configure the anonymous user to use the application pool identity as well so you only need to manage a single user. The application pool identity needs read access to the site files at a minimum, but will require write access if your application writes to disk.'

    http://technet.microsoft.com/en-us/library/cc771170(WS.10).aspx

    Jeff Graves

    OrcsWeb: Managed Windows Hosting Solutions
    "Remarkable Service. Remarkable Support."
  • Re: Permissions of the Application Pool Identity

    Apr 10, 2011 11:07 AM|Greg Hollywood|LINK

    OK, thanks.  I like the idea of just using a single user like you mention above.  Do you find it to be a good practice?

    Greg

  • Re: Permissions of the Application Pool Identity

    Apr 10, 2011 11:15 AM|owjeff|LINK

    It depends on the type of content you are serving up and the specific requirements of the application, but generally speaking, yes, this is an accepted practice for most web applications provided the application doesn't need read/write to other parts of the OS or directory structure, and the security is locked down to the specific application pool:

    http://learn.iis.net/page.aspx/624/application-pool-identities/

    You can assign permissions to the actual application pool itself.

    Jeff Graves

    OrcsWeb: Managed Windows Hosting Solutions
    "Remarkable Service. Remarkable Support."
  • Re: Permissions of the Application Pool Identity

    Apr 10, 2011 11:45 AM|Greg Hollywood|LINK

    I am trying to assign NTFS permissions to the application pool.  I careful follow the steps in the above link to do so.  But it doesn't find it in the GUI.  I carefully select the machine, not the domain as the location, and enter "IIS AppPool\DefaultAppPool" but it is not found.  The only difference I see in my GUI from the example is that I only get the "Built-in security principals" as the object type, whereas the example shows "Users, Groups and Built-in"

    I tried with the ICACLS and it found it and added it with no problem.

    Am I doing something wrong in the GUI?  Have tried a 100 times to no avail.  It will not find any virtual app pool name that I try.

    Greg

  • Re: Permissions of the Application Pool Identity

    Apr 10, 2011 01:49 PM|HCamper|LINK

    Hello,

    Problem where are the users and the folders and directories so perrmissions

           can be set / configured for Application Pool and Users:

    Methods & Operations for Application Pool users / folders / locations on Windows System.

    For this discussion only local folders and users are being handled. 

    By default you will not see other user / account folders this is true for Application Pool folders / directories.

    To be able to manage Application Pools you need to at least see what your working with.

    Go to your windows folder view settings and un-check the setting for Hiding folders ( this allows you to see Application Pool users ).

    You find some of the other folder settings modifications will may make sense.

    After making folder setting changes log off and back on.

    After you have logged back on you can using Windows Explorer browse to C:\Users\DefaultAppPool and with

    Windows Explorer and the Properties with Security Tab add,modify,edit permissions for Users,Accounts,Groups for

    access to DefaultAppPool.

    The same operations from above apply to any of the other named Application Pools.

    The other Application Pools include can include Classic,Custom ( a user you create) and DefaultAppPool.

    I hope this helps.

    Martin

     

     

    Windows and Linux work Together IT-Pros
    Community Member Award 2011
  • Re: Permissions of the Application Pool Identity

    Apr 11, 2011 04:39 AM|Andy Dodd|LINK

     I have the following setup:

    Windows 2008 R2

    IIS 7

    PHP 5.2 installed using the Web Platform Installer

    I need users to be able to write to a directory (in this case it's images). 

    All accounts have read only access to this folder except the application pool identity which has full control. 

    Users are unable to write files to the directory.

    Using procmon during an upload I can see that the application pool identity is denied write access to the folder.

     Any idea why this might be the case, the effective permsions suggest that it should have full control.

    Cheers

    Andy

  • Re: Permissions of the Application Pool Identity

    Apr 11, 2011 08:18 AM|HCamper|LINK

    Hello,

    To understand your problem with Users,Accounts,Permissions please

    read http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis-7/ .

    The guide explains how the Built-In Users,Accounts are used to execute code and handle files

    in IIS Server and Web Sites.

    The IUSR,IIS_USERS need to have minimal access permissions of read,execute,list for IIS Server,Web Sites.

    The IUSR,IIS_USERS need to have special permissions of write for Temp Folders and files.

    The IUSR,IIS_USERS need to have the special permissions for the %windir%\Temp folder and files.

    The %windir% is the Windows directory path name aka C:\Windows if that is the drive on the system.

    If you are using the "Network Service" then use the same permissions as IUSR,IIS_USERS. The IUSR,IIS_USERS need to

    have access to files and folders for the Application Pool.

    The suggestions for how to provide permissions and settings were in previous post.

    Note: For "Best Practice" do not give "Full" permissions to any User,Account,Group other than "Administrator","System".

    Martin

    Windows and Linux work Together IT-Pros
    Community Member Award 2011
  • Re: Permissions of the Application Pool Identity

    Apr 11, 2011 08:58 AM|Greg Hollywood|LINK

    Andy,

    There is a setting in PHP.ini that can restrict where PHP can write to. (I don't have the setting name to hand, sorry).  That's one thing to check.

    Also, check the NTFS permissions for the identity which the website runs under, which can be different from the identity that the application pool runs under.

    I run the web site and the apppool under the same identity to keep things simplier.

    Greg

  • Re: Permissions of the Application Pool Identity

    Apr 11, 2011 09:04 AM|owjeff|LINK

    Greg Hollywood

    Am I doing something wrong in the GUI?

    In Windows Server 2008, you have to do it from the command line:

    ICACLS C:\inetpub\wwwroot /grant "IIS AppPool\DefaultAppPool":(M)

    You can do it from the GUI in Windows Server 2008 R2.

    Jeff Graves

    OrcsWeb: Managed Windows Hosting Solutions
    "Remarkable Service. Remarkable Support."