App Pool Identity

I have a web site that I switched from NETWORK_SERVICE to AppPoolIdentity.  I did this so I could see which process was running in task manager (I have a runaway process issue).  After changing the app pool to AppPoolIdentity (from NETWORK_SERVICE), some functions in the application don't work.  I think its related to local file access restrictions, but not certain.

When I look at the directory on web server in Windows Explorer, I can see where NETWORK_SERVICE has been given read/write access to the directories the app tried to access.  How do I grant the same level of privileges for the AppPoolIdentity?  I don't see a SID in the active director list.
No1CoderAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Emmanuel AdebayoGlobal Windows Infrastructure Engineer - ConsultantCommented:
You grant permission for to account iusr_ to the directories the app tried to access.

Regards
0
No1CoderAuthor Commented:
IIS_USER and IUSR have the same file access capabilities as NETWORK_SERVICE.  Not sure if that is what you are referring to.

I am not certain that file access is the problem, but I can't think of anything else it could be.  The functions that do not work are dealing with local files, so file security makes sense.
0
Emmanuel AdebayoGlobal Windows Infrastructure Engineer - ConsultantCommented:
By default, Yes.

I think I understand what the issue si now

You can try this by selecting a file in Windows Explorer and adding the "DefaultAppPool" identity to the file's Access Control List (ACL).

For more, please check http://www.iis.net/learn/manage/configuring-security/application-pool-identities

Cheers
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

No1CoderAuthor Commented:
This doesn't work for me.

W20012R2

I tried entering:
IIS AppPool\DefaultAppPool
IIS_AppPool\DefaultAppPool
IISAppPool\DefaultAppPool

It won't take any of these when I do check names.
0
No1CoderAuthor Commented:
Also tries same using ICACLS.  It doesn't work either.  Says invalid parameter to 'IIS_AppPool\DefaultAppPool'
0
No1CoderAuthor Commented:
I tried this on two different 2012 r2 servers.  Doesn't work.
0
hongjunCommented:
Try something like these?

icacls C:\inetpub\wwwroot\website\ /grant "IIS AppPoolApplicationPoolName":RX

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
No1CoderAuthor Commented:
I tried the following:

icacls d:\websites /grant "DefaultAppPool":RX

D;\Websites is the directory that I would like to set read/execute privileges on.  On one server, when I execute this command, it created a Windows Security ID for the directory in question.  When I go the windows explorer, and view security, I see an entry for DefaultAppPool, and I was able to set permissions as desired.  I do not know yet if this solves the original problem.

I tried the same command on my production server and receive the error "DefaultAppPool: No mapping between account names and security IDs was done.
Successfully processed 0 files; Failed processing 1 files"

The directory structure is the same for both servers.  I don't know what this error means.

I also tried:
icacls d:\WebSites /grant "IIS AppPool\DefaultAppPool":RX

Same results.

At this point I am just guessing.  I don't understand why this needs to be so difficult.
0
No1CoderAuthor Commented:
Was able to get this to work.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.