?
Solved

App Pool Identity

Posted on 2014-09-16
9
Medium Priority
?
566 Views
Last Modified: 2014-09-18
I have a web site that I switched from NETWORK_SERVICE to AppPoolIdentity.  I did this so I could see which process was running in task manager (I have a runaway process issue).  After changing the app pool to AppPoolIdentity (from NETWORK_SERVICE), some functions in the application don't work.  I think its related to local file access restrictions, but not certain.

When I look at the directory on web server in Windows Explorer, I can see where NETWORK_SERVICE has been given read/write access to the directories the app tried to access.  How do I grant the same level of privileges for the AppPoolIdentity?  I don't see a SID in the active director list.
0
Comment
Question by:No1Coder
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
9 Comments
 
LVL 18

Expert Comment

by:Emmanuel Adebayo
ID: 40326552
You grant permission for to account iusr_ to the directories the app tried to access.

Regards
0
 

Author Comment

by:No1Coder
ID: 40326610
IIS_USER and IUSR have the same file access capabilities as NETWORK_SERVICE.  Not sure if that is what you are referring to.

I am not certain that file access is the problem, but I can't think of anything else it could be.  The functions that do not work are dealing with local files, so file security makes sense.
0
 
LVL 18

Expert Comment

by:Emmanuel Adebayo
ID: 40326699
By default, Yes.

I think I understand what the issue si now

You can try this by selecting a file in Windows Explorer and adding the "DefaultAppPool" identity to the file's Access Control List (ACL).

For more, please check http://www.iis.net/learn/manage/configuring-security/application-pool-identities

Cheers
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 

Author Comment

by:No1Coder
ID: 40326777
This doesn't work for me.

W20012R2

I tried entering:
IIS AppPool\DefaultAppPool
IIS_AppPool\DefaultAppPool
IISAppPool\DefaultAppPool

It won't take any of these when I do check names.
0
 

Author Comment

by:No1Coder
ID: 40326779
Also tries same using ICACLS.  It doesn't work either.  Says invalid parameter to 'IIS_AppPool\DefaultAppPool'
0
 

Author Comment

by:No1Coder
ID: 40326828
I tried this on two different 2012 r2 servers.  Doesn't work.
0
 
LVL 33

Accepted Solution

by:
hongjun earned 1500 total points
ID: 40329539
Try something like these?

icacls C:\inetpub\wwwroot\website\ /grant "IIS AppPoolApplicationPoolName":RX

Open in new window

0
 

Author Comment

by:No1Coder
ID: 40329889
I tried the following:

icacls d:\websites /grant "DefaultAppPool":RX

D;\Websites is the directory that I would like to set read/execute privileges on.  On one server, when I execute this command, it created a Windows Security ID for the directory in question.  When I go the windows explorer, and view security, I see an entry for DefaultAppPool, and I was able to set permissions as desired.  I do not know yet if this solves the original problem.

I tried the same command on my production server and receive the error "DefaultAppPool: No mapping between account names and security IDs was done.
Successfully processed 0 files; Failed processing 1 files"

The directory structure is the same for both servers.  I don't know what this error means.

I also tried:
icacls d:\WebSites /grant "IIS AppPool\DefaultAppPool":RX

Same results.

At this point I am just guessing.  I don't understand why this needs to be so difficult.
0
 

Author Closing Comment

by:No1Coder
ID: 40329987
Was able to get this to work.
0

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This video teaches users how to migrate an existing Wordpress website to a new domain.
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…
Suggested Courses
Course of the Month8 days, 14 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question