Solved

App Pool Identity

Posted on 2014-09-16
9
497 Views
Last Modified: 2014-09-18
I have a web site that I switched from NETWORK_SERVICE to AppPoolIdentity.  I did this so I could see which process was running in task manager (I have a runaway process issue).  After changing the app pool to AppPoolIdentity (from NETWORK_SERVICE), some functions in the application don't work.  I think its related to local file access restrictions, but not certain.

When I look at the directory on web server in Windows Explorer, I can see where NETWORK_SERVICE has been given read/write access to the directories the app tried to access.  How do I grant the same level of privileges for the AppPoolIdentity?  I don't see a SID in the active director list.
0
Comment
Question by:No1Coder
  • 6
  • 2
9 Comments
 
LVL 16

Expert Comment

by:Emmanuel Adebayo
ID: 40326552
You grant permission for to account iusr_ to the directories the app tried to access.

Regards
0
 

Author Comment

by:No1Coder
ID: 40326610
IIS_USER and IUSR have the same file access capabilities as NETWORK_SERVICE.  Not sure if that is what you are referring to.

I am not certain that file access is the problem, but I can't think of anything else it could be.  The functions that do not work are dealing with local files, so file security makes sense.
0
 
LVL 16

Expert Comment

by:Emmanuel Adebayo
ID: 40326699
By default, Yes.

I think I understand what the issue si now

You can try this by selecting a file in Windows Explorer and adding the "DefaultAppPool" identity to the file's Access Control List (ACL).

For more, please check http://www.iis.net/learn/manage/configuring-security/application-pool-identities

Cheers
0
 

Author Comment

by:No1Coder
ID: 40326777
This doesn't work for me.

W20012R2

I tried entering:
IIS AppPool\DefaultAppPool
IIS_AppPool\DefaultAppPool
IISAppPool\DefaultAppPool

It won't take any of these when I do check names.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:No1Coder
ID: 40326779
Also tries same using ICACLS.  It doesn't work either.  Says invalid parameter to 'IIS_AppPool\DefaultAppPool'
0
 

Author Comment

by:No1Coder
ID: 40326828
I tried this on two different 2012 r2 servers.  Doesn't work.
0
 
LVL 33

Accepted Solution

by:
hongjun earned 500 total points
ID: 40329539
Try something like these?

icacls C:\inetpub\wwwroot\website\ /grant "IIS AppPoolApplicationPoolName":RX

Open in new window

0
 

Author Comment

by:No1Coder
ID: 40329889
I tried the following:

icacls d:\websites /grant "DefaultAppPool":RX

D;\Websites is the directory that I would like to set read/execute privileges on.  On one server, when I execute this command, it created a Windows Security ID for the directory in question.  When I go the windows explorer, and view security, I see an entry for DefaultAppPool, and I was able to set permissions as desired.  I do not know yet if this solves the original problem.

I tried the same command on my production server and receive the error "DefaultAppPool: No mapping between account names and security IDs was done.
Successfully processed 0 files; Failed processing 1 files"

The directory structure is the same for both servers.  I don't know what this error means.

I also tried:
icacls d:\WebSites /grant "IIS AppPool\DefaultAppPool":RX

Same results.

At this point I am just guessing.  I don't understand why this needs to be so difficult.
0
 

Author Closing Comment

by:No1Coder
ID: 40329987
Was able to get this to work.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now