[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 852
  • Last Modified:

IIS Web Application & Virtual Directory Access

I currently have a web application that runs under an app pool impersonating a domain account (my webserver is on the domain).

I am trying to setup a virtual directory within this web application that contains numerous pdf's that will be displayed to the user on the webpage.

When setting up the virtual directory i can test the connection and get a green light, saying the app pool identity has access to the folder.  I have verified the share and security permissions on the physical folder and the app pool impersonate account has full rights.

When the webpage loads it displays the pdf in an iframe.  This works when I have Anonymous Authentication turned on in the virtual directory settings (IUSR) but as soon as I disable this and want it to use windows auth (assuming it is going to use the app pool identity) the pdf will not display and prompts for a login.  I have even tried turing on ASP.Net impersonation for the virtual directory and specifically enter my domain app pool account and it still does not display the pdf.

Is this normal behavior?
Does the local IUSR account have some special setting (security) that my domain account (currently a domain admin acct while I am testing) would not have?
1 Solution
Brad HoweCommented:
Yes, that does make sense.

App Pool Identity and ASP.NET Impersonation are 2 different things. AppPools are what IIS uses to manage a worker process. ASP.NET Impersonation is at the application level in the web.config of an application. Using impersonation in the web.config allows you to override the set Identity configured in the AppPool.  Think of it as worker process vs application.

Essentially, you will need to modify your web.config to impersonate if you are using windows authentication and disabling anonymous.

  <authentication mode="Windows"/>
    <identity impersonate="true" userName="<domain>\<UserName>" password="<password>"/>

Have a look at:
ASP.NET Impersonation documentation:

Using IIS Authentication with ASP.NET Impersonation: http://msdn.microsoft.com/en-us/library/134ec8tc(v=vs.100).aspx

You can also modify your page to show the security ID as such.

Hope it helps,

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now