Solved

App Pool Identity

Posted on 2014-09-16
9
537 Views
Last Modified: 2014-09-18
I have a web site that I switched from NETWORK_SERVICE to AppPoolIdentity.  I did this so I could see which process was running in task manager (I have a runaway process issue).  After changing the app pool to AppPoolIdentity (from NETWORK_SERVICE), some functions in the application don't work.  I think its related to local file access restrictions, but not certain.

When I look at the directory on web server in Windows Explorer, I can see where NETWORK_SERVICE has been given read/write access to the directories the app tried to access.  How do I grant the same level of privileges for the AppPoolIdentity?  I don't see a SID in the active director list.
0
Comment
Question by:No1Coder
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
9 Comments
 
LVL 17

Expert Comment

by:Emmanuel Adebayo
ID: 40326552
You grant permission for to account iusr_ to the directories the app tried to access.

Regards
0
 

Author Comment

by:No1Coder
ID: 40326610
IIS_USER and IUSR have the same file access capabilities as NETWORK_SERVICE.  Not sure if that is what you are referring to.

I am not certain that file access is the problem, but I can't think of anything else it could be.  The functions that do not work are dealing with local files, so file security makes sense.
0
 
LVL 17

Expert Comment

by:Emmanuel Adebayo
ID: 40326699
By default, Yes.

I think I understand what the issue si now

You can try this by selecting a file in Windows Explorer and adding the "DefaultAppPool" identity to the file's Access Control List (ACL).

For more, please check http://www.iis.net/learn/manage/configuring-security/application-pool-identities

Cheers
0
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

 

Author Comment

by:No1Coder
ID: 40326777
This doesn't work for me.

W20012R2

I tried entering:
IIS AppPool\DefaultAppPool
IIS_AppPool\DefaultAppPool
IISAppPool\DefaultAppPool

It won't take any of these when I do check names.
0
 

Author Comment

by:No1Coder
ID: 40326779
Also tries same using ICACLS.  It doesn't work either.  Says invalid parameter to 'IIS_AppPool\DefaultAppPool'
0
 

Author Comment

by:No1Coder
ID: 40326828
I tried this on two different 2012 r2 servers.  Doesn't work.
0
 
LVL 33

Accepted Solution

by:
hongjun earned 500 total points
ID: 40329539
Try something like these?

icacls C:\inetpub\wwwroot\website\ /grant "IIS AppPoolApplicationPoolName":RX

Open in new window

0
 

Author Comment

by:No1Coder
ID: 40329889
I tried the following:

icacls d:\websites /grant "DefaultAppPool":RX

D;\Websites is the directory that I would like to set read/execute privileges on.  On one server, when I execute this command, it created a Windows Security ID for the directory in question.  When I go the windows explorer, and view security, I see an entry for DefaultAppPool, and I was able to set permissions as desired.  I do not know yet if this solves the original problem.

I tried the same command on my production server and receive the error "DefaultAppPool: No mapping between account names and security IDs was done.
Successfully processed 0 files; Failed processing 1 files"

The directory structure is the same for both servers.  I don't know what this error means.

I also tried:
icacls d:\WebSites /grant "IIS AppPool\DefaultAppPool":RX

Same results.

At this point I am just guessing.  I don't understand why this needs to be so difficult.
0
 

Author Closing Comment

by:No1Coder
ID: 40329987
Was able to get this to work.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
This video teaches users how to migrate an existing Wordpress website to a new domain.
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question