Write access to EVERYONE works, IUSR, IIS_IUSRS, DefaultAppPool does not work. why?
Ok. Here we are trying to set up a Classic ASP website at IIS 7.5 in Windows Server 2008 R2. There is a folder named dbc under the website's root and it has a file which is used to read and write certain information while every page is processed.
The issue is, if I grant IUSR Write Permissions, and IIS_IUSRS Write Permissions, or DefaultAppPool Write Permissions, I get the "Access to the path 'E:..\websiteroot\dbc\filename.txt' is denied"
But If I grant EVERYONE Write access on that dbc folder, then I don't get any error, everything seems perfect.
More Info: The website runs in Classic Pipeline mode, Anonymous Authentication is Enabled (perhaps it's the only authentication enabled).. And I tried Anonymous authentication using IUSR account as well as, Application Pool Identity. In my case, ApplicationPoolIdentity is the Identity for the Authentication of the website. We use a COM+ for file I/O. And Classic ASP Server.CreateObject to instantiate an object out of it. The COM+ runs as a Network Service.
Thoughts? I don't want to grant Write permission to EVERYONE. Am I missing something?
SOLVED: Here's what I did.
My website named CipherDemo was running under an AppPoolIdentity in IIS 7.5, that could be located by the Identity IIS AppPool\CipherDemo. I used ICACLS to give RW permissions on that folder.
and the COM+ that was actually doing the file I/O was running under the Network Service Identity. When I was using Process Monitor to trace the Access Denied Error, it turned that Network Service has only a Read permission on that folder.
I used ICACLS "foldername" /grant:r "NT AUTHORITY\NETWORKSERVICE":(OI)(CI)RXW /T to grant Write access on that folder.
And solved it.
I was on an intention that since the website runs as CipherDemo Identity, this will be the account that will be used to access the file via COM+. But it's embarrassing to find out that the COM+ would still work on it's own Identity boundaries.
Under IIS 7.5 (and optionally in IIS 7) all workers run with Application Pool Identity: user "IIS AppPool*PoolName*".
Grant access to that user rather than Everyone (you'll need to type the name into the select identity dialogues—it won't show up in the find function).
There is a very useful page on iis.net that covers things in much more detail.
Also note: under IIS7 (Server 2008):
- You set app pool identity on a per-app pool basis in the advanced settings.
- There is no GUI support, so you'll need the command line to set permissions (
icacls.exe
).
Finally SQL Server's identity selection doesn't know about app pool identity either: use CREATE LOGIN
and CREATE USER
initially, after this the GUI can be used to grant roles etc.
You can add the account through the NTFS GUI by typing it in directly. The name is in the format of IIS APPPOOL\<<app pool name>>
, e.g. IIS APPPOOL\DefaultAppPool
. (see this Microsoft support article)
An alternative solution: I've been using the "Network Service" account as application pool user granting it write permission.
If you want only grant the folder WRITE permission to the specific user, you should also change 'Anonymous user identity' of site to the 'Specific User', not 'Application pool identity'.