How to set correct file permissions for ASP.NET on IIS

Solution 1:

The message is clear.

Cannot read configuration file due to insufficient permissions

How to solve it.

Every asp.net application is run under one pool assigned to it, and each pool is run under a specific account.

Open the IIS, locate the pool under which your app is try to run, see the user that is assigned to that pool, and give read permissions to that user on your full site directory tree.

Especial for the web.config

The web.config, its the configuration file that message says, must have (and) write permissions.

So you locate web.config on the root of your site, right click on it, go to permissions and give on the pool-user, the write capability. The pool user, is the user under the witch the pool is run, as I explain below.

More details

To been able to run a public asp.net site with IIS, each file on the directory must have permissions for two accounts.

One account that is permitted for public access, and the account that assigned to that application pool have.

To find/assing the first account you go to your iis site | Authentication | Edit, and see or change it as you see on that screen shot.

Now note that name and we going to find the user under with the pool run.
Go the your IIS Site and click on the Basic Settings to find the pool name, then go to the IIS | Application Pools and see the Identity column, and note the name of the user under the witch your site is run.

Now that we have the two users names we go to the root of the site and set the minimum of permissions that is the read as

Some Notes

  • If the IIS_Public_ACCESS_USER is not give read permission the site is run, but ask for password
  • On some directories you need and write permissions, if you let for example your users upload images, or keep on App_Data, some database files. Only for that directories you give and the write permissions to the IIS_POOL_USER.
  • Some directories, like the App_Data and App_Code have direct protection from asp.net and they not allow anyone from the client side to run or view whats is in there.
  • On the public directory that allow write access to your user add one web.config and totally disable all the running of asp.net files.

More to read for the directories that give write permissions I've been hacked. Evil aspx file uploaded called AspxSpy. They're still trying. Help me trap them‼