36

I am running IIS 7 on Windows Server 2008 R2 with PHP 5.4. One of my PHP scripts is trying to access a file on a protected network share using a UNC path. How can I change the IIS service account to an account that has permission to access the share? This is really easy to do on Apache HTTP server (you just change it), but it's not clear how to do with IIS. What can I do?

Update:

I was able to get things working using the "Connect As" option in the "Basic Settings" of my website and then specifying an account that has access to the network share. It appears that my problem is related to this question:

https://serverfault.com/questions/366234/iis-identities-application-pool-vs-connect-as-in-basic-settings

Community
  • 1
  • 1
HydroPowerDeveloper
  • 3,302
  • 7
  • 31
  • 38
  • Philip Tenn is absolutely correct. Subtle clarification: you *DO NOT* want to change the IIS user. That would be "Bad". Instead, you want to set the "Identity" of the "Application Pool" that needs this particular resource. Philip tells you how to do this. – paulsm4 Jan 30 '13 at 19:41
  • @paulsm4 But I can't get Philip's way to work..check out my comments. – HydroPowerDeveloper Jan 30 '13 at 19:49

3 Answers3

53

For IIS 7 running on Windows Server 2008 R2 ... In the IIS Manager, select the Application Pool under which your Web Site is running.

Click "Advanced Settings". There will be an entry for Identity (it is under the Process Model section). Click it, provide credentials for your account that has permission to access the share.

UPDATE

You should make sure that if you are using an Active Directory Domain Account, you provided that correctly under Identity for the running App Pool. For example, MYDOMAIN\myAccount.

After making this change, you will need to do the following:

  1. Stop the Web Site.
  2. Recycle your Application Pool.
  3. Start the Web Site.

UPDATE II

From the comment discussion on this answer, @HydroPowerDeveloper was able to get the PHP script to be able to access the network share via UNC path using WebSite -> Basic Settings -> "Connect As" and setting the credentials there.

In the past, I have always used the approach of setting Identity via Application Pool and that has allowed my code to access Network shares via UNC path.

However, all of the sites/applications I have deployed on IIS are .NET based WCF or ASPX sites.

I would speculate (but am not 100% certain on this, would need research/testing to confirm) that the Identity specified in the Application Pool is used by executing .NET code, whereas the "Connect As" is used by the PHP script.

Philip Tenn
  • 6,003
  • 8
  • 48
  • 85
  • @Philip_Tenn Thanks for the answer...I did what you said...I found the application pool for my website, choose "custom account" and specified the credentials for an account that has accees to the file share. However, my script still can't seem to access the network file...I get an error 500 "There is a problem with the resource you are looking for, and it cannot be displayed." Is there anything else that I need to do? – HydroPowerDeveloper Jan 30 '13 at 18:54
  • @HydroPowerDeveloper I have updated my answer, please try again. Please note that I have done this approach described above many times to access network shares and it has worked fine for me. – Philip Tenn Jan 30 '13 at 19:03
  • @Philip_Tenn Thanks for the update, Philip. I did everything you said (stop, recycle, start) and it's still not working...this is really bizarre! I know for a fact that the user account that I supplied has full access to the network share (I checked again). I even tried changing the Managed Pipeline mode from "Integrated" to "Classic"...no success. I should say that I have no problem accessing local files. Any other ideas? – HydroPowerDeveloper Jan 30 '13 at 19:13
  • @Philip_Tenn I got it working! I had to go to select my website from the "Sites" tree, choose "Basic Settings" and then "Connect As". I'm going to put the application pool settings back the way they were and see if it still works...I'll let you know in a minute – HydroPowerDeveloper Jan 30 '13 at 19:19
  • I set the application pool setting back the way they were and I'm still able to access the network share via my PHP script. I would really like to know the difference between the application pool settings and the "Connect As" setting of the website. – HydroPowerDeveloper Jan 30 '13 at 19:26
  • The "connect as" is the part that does the actual authentication :) – paulsm4 Jan 30 '13 at 19:42
  • 1
    @HydroPowerDeveloper I believe I understand what's going on now. You taught me something new about IIS today, thanks for looping back and providing your findings. I will update my answer with new insight from your findings. – Philip Tenn Jan 30 '13 at 20:00
  • 2
    @PhilipTenn I think that your Update II is correct (at least it makes a lot of sense to me). Thanks again for all your help and I'm going to accept your answer. Have a great day! =) – HydroPowerDeveloper Jan 30 '13 at 20:18
  • For classic ASP developers - note that using the "Connect As" setting makes this work for ASP 2 applications. – Onkel-j Apr 20 '16 at 11:05
  • I was accessing network location by virtual directory on IIS, clicked advanced settings on virtual folder, provided credentials, set credential logon type to interactive, it works for me on ASP.Net MVC application – sairfan Jun 23 '17 at 17:23
7

Generally the Application Pool is set using the least amount of privileges as possible.

http://msdn.microsoft.com/en-us/library/ff647402.aspx

The easiest route is to allow access to the current IIS account.

In Explorer, navigate to the shared directory.

Right Click -> Properties -> Security

If you don't see the expected IIS user in the list (Group or user names), edit and add the user as required.

I used "NETWORK SERVICE" -> Check names.

The detailed instructions are on that site.

In this way, the system is still restricted, we're ONLY allowing access to specific directories, we don't need to create any new users, we don't need to recycle the application pool and we don't need to perform any nifty impersonation code.

razodactyl
  • 364
  • 4
  • 9
  • 3
    For the majority of use cases, this is the preferred method. However, this only works if you are actually able/authorized to set access privileges on the network share in question. If you only have a pre-existing account to access the share, you will have to do it the way Philip Tenn outlined. – Colin Emonds Nov 30 '16 at 09:53
1

To resurrect an old question...

I've just been setting up a Win 2016 server that uses some Perl to access a UNC share. I set the Application Pool to an account that I verified had the correct permissions on that share. I then set up my site to 'Connect as...' (under 'Basic Settings') the same user. I still couldn't get access working.

Much head scratching later, I realised that my 'Virtual Directory', cgi-bin, was running under the original 'pass through' account. I then set up the virtual directory to 'Connect as...' the same account as the site and the application pool and, bingo, it all works fine.

So, remember to update any Virtual Directories as well as the site and App Pool...

SAL
  • 1,218
  • 1
  • 14
  • 34