IIS7 Permissions Overview - ApplicationPoolIdentity

permissions iis-7

We have recently upgraded to IIS7 as a core web server and I need an overview in terms of the permissions. Previously, when needing to write to the file system I would have give the AppPool user (Network Service) access to the directory or file.

In IIS7 I see, as default, the AppPool user is set to ApplicationPoolIdentity. So when I check the task-manager, I see that a user account called 'WebSite.com' is running the IIS Process ('Website.com' being the name of the website in IIS)

However this user account doesn't exist if I try to use that to give permissions. So, how do I determine which user to give the permissions too?

Edit ==============================================================================

See below for the problem in screen shot. Our website (www.silverchip.co.uk) runs on the username SilverChip.co.uk. However when I add pemissions, this user doenst exist!

enter image description here

=================================See AppPool Image

enter image description here


Solution 1:

ApplicationPoolIdentity is actually the best practice to use in IIS7+. It is a dynamically created, unprivileged account. To add file system security for a particular application pool see IIS.net's "Application Pool Identities". The quick version:

If the application pool is named "DefaultAppPool" (just replace this text below if it is named differently)

  1. Open Windows Explorer
  2. Select a file or directory.
  3. Right click the file and select "Properties"
  4. Select the "Security" tab
  5. Click the "Edit" and then "Add" button
  6. Click the "Locations" button and make sure you select the local machine. (Not the Windows domain if the server belongs to one.)
  7. Enter "IIS AppPool\DefaultAppPool" in the "Enter the object names to select:" text box. (Don't forget to change "DefaultAppPool" here to whatever you named your application pool.)
  8. Click the "Check Names" button and click "OK".

Solution 2:

Remember to use the server's local name, not the domain name, when resolving the name 

IIS AppPool\DefaultAppPool

(just a reminder because this tripped me up for a bit):enter image description here

Solution 3:

Giving access to the IIS AppPool\YourAppPoolName user may be not enough with IIS default configurations.

In my case, I still had the error HTTP Error 401.3 - Unauthorized after adding the AppPool user and it was fixed only after adding permissions to the IUSR user.

This is necessary because, by default, Anonymous access is done using the IUSR. You can set another specific user, the Application Pool or continue using the IUSR, but don't forget to set the appropriate permissions.

authentication tab

Credits to this answer: HTTP Error 401.3 - Unauthorized

Related

How to exit a 'git status' list in a terminal?
Get the key corresponding to the minimum value within a dictionary
How to match "any character" in regular expression?
How to test if string exists in file with Bash?
Is "else if" faster than "switch() case"? [duplicate]
Set size on background image with CSS?
How to dismiss keyboard for UITextView with return key?
Why are C# 4 optional parameters defined on interface not enforced on implementing class?
Explaining Apache ZooKeeper
Which .NET Dependency Injection frameworks are worth looking into? [closed]
@Nullable annotation usage
How to determine when a Git branch was created?