418

We have recently upgraded to IIS7 as a core web server and I need an overview in terms of the permissions. Previously, when needing to write to the file system I would have give the AppPool user (Network Service) access to the directory or file.

In IIS7 I see, as default, the AppPool user is set to ApplicationPoolIdentity. So when I check the task-manager, I see that a user account called WebSite.example is running the IIS Process ('Website.example' being the name of the website in IIS)

However this user account doesn't exist if I try to use that to give permissions. So, how do I determine which user to give the permissions too?

See below for the problem in screen shot. Our website (www.silverchip.co.uk) runs on the username SilverChip.co.uk. However when I add permissions, this user doesn't exist!

See AppPool Image:

Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
LiamB
  • 18,243
  • 19
  • 75
  • 116
  • 4
    Actually microsoft information on this matter is very good [Application Pool Identities](https://www.iis.net/learn/manage/configuring-security/application-pool-identities) – DanielV Dec 02 '15 at 09:44

8 Answers8

788

ApplicationPoolIdentity is actually the best practice to use in IIS7+. It is a dynamically created, unprivileged account. To add file system security for a particular application pool see IIS.net's "Application Pool Identities". The quick version:

If the application pool is named "DefaultAppPool" (just replace this text below if it is named differently)

  1. Open Windows Explorer
  2. Select a file or directory.
  3. Right click the file and select "Properties"
  4. Select the "Security" tab
  5. Click the "Edit" and then "Add" button
  6. Click the "Locations" button and make sure you select the local machine. (Not the Windows domain if the server belongs to one.)
  7. Enter "IIS AppPool\DefaultAppPool" in the "Enter the object names to select:" text box. (Don't forget to change "DefaultAppPool" here to whatever you named your application pool.)
  8. Click the "Check Names" button and click "OK".
Jon Adams
  • 24,464
  • 18
  • 82
  • 120
  • 13
    @Pino: No, not the web site name. Use the _application pool_ name. Each web site is assigned to an application pool. You can tell which one on the web site's properties Basic Settings dialog (in IIS7). – Jon Adams Sep 08 '11 at 15:04
  • 1
    That is is the AppPool? See the new screen shot. – LiamB Sep 08 '11 at 15:38
  • 2
    @Pino: In that case, the security role you should use is `IIS AppPool\silverchip.co.uk`. I haven't tried periods in security names though--you may want to change it to something without punctuation. – Jon Adams Sep 08 '11 at 16:59
  • 2
    What if this still doesn't help on WinServ2008R2? – Johnny_D Sep 30 '13 at 13:27
  • 1
    @Johnny_D: If this doesn't work for you in Server 2008R2 you either didn't follow the procedure correctly or you have another issue. I suggest posting a new Question with your details, what you've tried, what messages you're getting, etc. – Jon Adams Sep 30 '13 at 15:01
  • 11
    I have followed you instructions as you've said. But there is one hack. You have to set property `enable load user profile` to `true` in application pool settings. And only after this setting I was able to run application. So please update your instructions and add 9th point. – Johnny_D Oct 01 '13 at 12:56
  • @siniradam: This answer is the correct process. If it isn't working for you, then you probably have a different setup, missed a step, or have some other unusual environment. I suggest asking a new Question with more details for you situation, what you tried, error messages you're getting, etc. Perhaps reference this one as something you tried but didn't work. – Jon Adams Feb 03 '14 at 19:54
  • @Johnny_D: Is "enable load user profile" not set to "true" by default already on that environment? It is for the ones I've tested. Or are you saying we need to be explicit that if the user changes that setting than this won't work for them? – Jon Adams Feb 03 '14 at 19:56
  • @JonAdams I've created a new pool and gave the permissions to that pool-user. Weird but it is working now. Thanks. – siniradam Feb 04 '14 at 08:35
  • 1
    This didn't work for me. The problem was in the Advanced attributes encrypt was checked. Have no idea how it happened, but that was the problem. I suggest anyone having problems after following these steps take a close look at attributes. – Cory Mawhorter Feb 05 '14 at 23:37
  • 21
    Remember to check that the server settings for anonymous authentication is also using the Application pool identity. This solution worked for me as soon as I switched back from IUSR. – bblue May 09 '14 at 23:49
  • 13
    Pay attention here ! You cannot look up the user using the Userinterface, but you have to type it in. Checking the name is the only thing you can do. – Remco Jan 14 '15 at 16:34
  • What are the correct settings if Windows Authentication is enabled ? – ATHER Jul 15 '15 at 17:52
  • @ATHER Assuming you mean the IIS site setting to authenticate clients via Windows Authentication, that is a separate topic. They may both happen to involve the same Windows credential store--but this question/answer deal with IIS access to the file system and not client access to IIS. – Jon Adams Jul 15 '15 at 21:11
  • unprivelaged -> unprivileged, cannot edit, counts as less than 6 character change. – gerleim Dec 10 '15 at 12:39
  • 1
    @bblue You sir are a GOD SEND. Thank you for the reminder of the anonymous auth user. saved my life :) – Sloan Reynolds May 31 '18 at 23:45
  • Is this only apply for `windows server` not normal desktop version? I'm using windows 10 and cannot find `IIS ApplicationPool/` – Tran Quan Oct 08 '18 at 11:48
  • 1
    @tranquan This applies to all versions of Windows. Go through the instructions above carefully. Windows won't let you use the Find feature in the security dialog--which is why this question is so popular. The steps above describe how to set the necessary permissions without the Find dialog. – Jon Adams Oct 08 '18 at 11:58
  • 2
    @JonAdams thank you :| I found it now, so magic. So the "IIS AppPool\DefaultAppPool" is hidden, you have to enter the exactly :| Because I choose Advanced and list all of users but not found IIS AppPool. I thoght it is disabled – Tran Quan Oct 08 '18 at 12:32
  • @HimalayaGarg The problem with using `\IIS_IUSRS` is that it does not isolate the application pool from others. In certain scenarios, this is a little less security than some users may be expecting/intending. – Jon Adams Mar 19 '19 at 14:23
110

Remember to use the server's local name, not the domain name, when resolving the name 

IIS AppPool\DefaultAppPool

(just a reminder because this tripped me up for a bit):enter image description here

Ryan Gates
  • 4,501
  • 6
  • 50
  • 90
James Toomey
  • 5,635
  • 3
  • 37
  • 41
  • 1
    Yep, I forget this every time, thanks for the reminder James Toomey! – tjans Sep 28 '18 at 13:18
  • so from where we can find out local server name – user889030 Jun 26 '20 at 17:10
  • @user889030, you can either type `hostname` on the command line, or right-click the My Computer icon in File Explorer and select Properties, and it should list it there. – James Toomey Jul 01 '20 at 00:09
  • @JamesToomey ya right i have uninstalled IIS because it have issues with exe opening , i was not able to open system browser like chrome firefox etc from it , was getting some cache type error , i think IIS move exe to its sandbox before lunching , so i switched to apache which do not have such issues – user889030 Jul 01 '20 at 05:05
  • @JamesToomey can u verify that if browsers can be lunched from IIS -> php or not like executing commands like `cmd /c start chrome /new-window www.google.com` or executing chrome bin with path – user889030 Jul 01 '20 at 05:07
  • @user889030, not clear on the question--are you trying to launch the browser on the server, or launch it on the client who is viewing the website? – James Toomey Jul 01 '20 at 19:12
  • @JamesToomey on server side. – user889030 Jul 02 '20 at 10:08
  • @user889030, gosh I'm not sure about doing that. It's not something I ever tried or needed to do. Sorry. – James Toomey Jul 02 '20 at 14:13
  • I'm trying to setup permissions on a network shared folder, but when I go to folder's security settings, to select users, in "Locations" I only see the local machine "Desktop-LC" and I can't find the server(or any other machines) in "Locations", even though they can access each other from network or with full folder path through Explorer... So because I can't select the location I also can't add the AppPool user .. Any info on what might be the problem? – guxxo Dec 23 '20 at 16:04
  • @guxxo, it sounds like you're trying to set the permissions on the network folder but do it from a workstation, not while logged on to the server itself, is that correct? You would need to be logged on to the server itself because the AppPool user only exists on the server itself because it's a local user, not a network user, so you won't see it if you're trying to do this remotely. – James Toomey Dec 24 '20 at 04:33
38

Giving access to the IIS AppPool\YourAppPoolName user may be not enough with IIS default configurations.

In my case, I still had the error HTTP Error 401.3 - Unauthorized after adding the AppPool user and it was fixed only after adding permissions to the IUSR user.

This is necessary because, by default, Anonymous access is done using the IUSR. You can set another specific user, the Application Pool or continue using the IUSR, but don't forget to set the appropriate permissions.

authentication tab

Credits to this answer: HTTP Error 401.3 - Unauthorized

Community
  • 1
  • 1
Zanon
  • 29,231
  • 20
  • 113
  • 126
  • 4
    This is crucial!!! Must change the "Anonymous Authentication" to "Application pool identity" for security! I'm sure there's a good reason it's set to IUSR, but I can't think of a single one. Thanks!!! – Danimal111 Dec 16 '16 at 16:57
  • This has fixed the issue for me. It might be because my version of IIS is 8 on Windows Server 2012 R2 – myroslav May 25 '17 at 20:59
  • 4
    This is an important step that should be added to the accepted answer. Also the simplest way is to change the radio box to Application pool identity – Sourcery Feb 14 '18 at 09:46
  • 2
    This was my problem! Thank you!! – Sloan Reynolds May 31 '18 at 23:45
  • 2
    I love that, 6 years later, you still just solved my problem. #legacy – Micah Murray Aug 15 '22 at 04:02
31

On Windows Server 2008(r2) you can't assign an application pool identity to a folder through Properties->Security. You can do it through an admin command prompt using the following though:

icacls "c:\yourdirectory" /t /grant "IIS AppPool\DefaultAppPool":(R)
Chris
  • 335
  • 3
  • 3
  • 1
    can you explain this a little? What does (R) mean? Do you actually enter angle brackets in this command? – Kate Gregory Jun 23 '14 at 22:34
  • 3
    Hi Kate, I was using <> to denote "your apppool name here", but left in a legitimate apppool name. In IIS Manager -> Application Pools you'll need to match the name, spaces included. The last one I did was "IIS AppPool\ClientName_CompanyName - Intranet". :(R) in this case is granting read access. You can also use F (full), M (modify), RX (read+execute) and W (write only). – Chris Jun 30 '14 at 12:59
  • 10
    You can actually assign via the Securities tab in Properties in Windows Server 2008 R2 so you shouldn't need this workaround. Make sure you have built-in security principals selected on object types and location. – rism Jul 30 '14 at 09:57
  • This answer works for me.The selected answer doesn't work for me. – Tuyen Nguyen Oct 31 '14 at 14:59
  • 3
    see also the original response of the select answer of [link]http://serverfault.com/questions/81165/how-to-assign-permissions-to-applicationpoolidentity-account For plain Windows Server 2008 (or Datacenter edition) you pretty much have to use the command line to get the app pool account into the security dialog. Once it's there, you can manage it, change permission levels, for subdirectories etc. Also consider: "icacls "c:\yourdirectory" /t /grant "IIS AppPool\DefaultAppPool":(OI)(CI)(R)" OI-object inheritance, CI-container inheritance. – secretwep Jul 03 '15 at 21:19
  • Worked for me except I had to include the entirety of the grant parameter value in quotes: `/grant "IIS AppPool\DefaultAppPool:(R)"` – ssell Jun 22 '18 at 16:33
15

Part A: Configuring your Application Pool

Suppose the Application Pool is named 'MyPool' Go to 'Advanced Settings' of the Application Pool from the IIS Manager

  1. Scroll down to 'Identity'. Trying to edit the value will bring up a dialog box. Select 'Built-In account' and under it, select 'ApplicationPoolIdentity'.

  2. A few lines below 'Identity', you should find 'Load User Profile'. This value should be set to 'True'.

Part B: Configuring your website

  1. Website Name: SiteName (just an example)
  2. Physical Path: C:\Whatever (just an example)
  3. Connect as... : Application User (pass-through authentication) (The above settings can be found in 'Basic Settings' of the site in the IIS Manager)
  4. After configuring the basic settings, look for the 'Authentication' configuration under 'IIS' in the main console of the site. Open it. You should see an option for 'Anonymous Authentication'. Make sure it is enabled. Then right click and 'Edit...' it. Select 'Application Pool Identity'.

Part C: Configuring your folder

The folder in question is C:\Whatever

  1. Go to Properties - Sharing - Advanced Sharing - Permissions, and tick 'Share this folder'
  2. In the same dialog box, you will find a button 'Permissions'. Click it.
  3. A new dialog box will open. Click 'Add'.
  4. A new dialog box 'Select Users or Groups' will open. Under 'From this location' make sure the name is the same as your local host computer. Then, under 'Enter the object names', type 'IIS AppPool\MyPool' and click 'Check Names' and then 'Ok'
  5. Give full sharing permissions for 'MyPool' user. Apply it and close the folder properties
  6. Open folder properties again. This time, go to Security - Advanced - Permission, and click Add. There will be an option 'Select a Principal' at the top, or some other option to choose a user. Click it.
  7. The 'Select Users or Groups' dialog box will open again. Repeat step 4.
  8. Give all or as many permissions you need to the 'MyPool' user.
  9. Check 'Replace all child object permissions..." and Apply and close.

You should now be able to use the browse the website

Dibyodyuti Mondal
  • 151
  • 1
  • 3
7

Top Answer from Jon Adams

Here is how to implement this for the PowerShell folks

$IncommingPath = "F:\WebContent"
$Acl = Get-Acl $IncommingPath
$Ar = New-Object  system.security.accesscontrol.filesystemaccessrule("IIS AppPool\DefaultAppPool","FullControl","ContainerInherit, ObjectInherit", "None", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl $IncommingPath $Acl
Chris Mills
  • 390
  • 7
  • 12
  • Adding full control to the physical path of the website opens up a vector of attack for files to be altered or created by the web application. I would recommend only granting Read & Execute. Only allow specific sub folders to be explicitly written to, even better don't write files to the physical path of the web site ever. – Adam Carr Jan 06 '22 at 19:52
1

Just to add to the confusion, the (Windows Explorer) Effective Permissions dialog doesn't work for these logins. I have a site "Umbo4" using pass-through authentication, and looked at the user's Effective Permissions in the site root folder. The Check Names test resolved the name "IIS AppPool\Umbo4", but the Effective Permissions shows that the user had no permissions at all on the folder (all checkboxes unchecked).

I then excluded this user from the folder explicitly, using the Explorer Security tab. This resulted in the site failing with a HTTP 500.19 error, as expected. The Effective Permissions however looked exactly as before.

StuartN
  • 329
  • 1
  • 9
1

I fixed all my asp.net problems simply by creating a new user called IUSER with a password and added it the Network Service and User Groups. Then create all your virtual sites and applications set authentication to IUSER with its password.. set high level file access to include IUSER and BAM it fixed at least 3-4 issues including this one..

Dave

David Granic
  • 19
  • 1