49

I am attempting to launch a website from an 'AppPool' called 'SomeAppPool' which uses the 'ApplicationPoolIdentity' and when I do I receive the following error when I launch the website:

The current identity (IIS_APPPOOL\SomeAppPool) does not have write access to 'c:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files'

I'm launching the website with 'Use Local IIS Web Server' within Visual Studio 2012 (with no debugger attached) under Windows 8.

The first thing I noticed is that the 'Temporary ASP.NET Files' folder does not even exist so there is nothing to set security permissions on.

The second issue is, even if there was a folder, what permissions would I set? I'm assuming that I should not have to set permissions for each user created through 'ApplicationPoolIdentity'. Right?

The current solutions i've seen simply suggest to set the user to 'Network Service' but this seems to break the isolation of the website for which 'ApplicationPoolIdentity' was introduced.

karmasponge
  • 1,169
  • 2
  • 12
  • 26
  • I'm having exactly the same issue. Were you able to find a solution for this? – Mehdi Maujood Jul 21 '14 at 12:32
  • No, unfortunately I have not found anything to resolve this issue. I'm starting to think that there is in fact no solution. I find it difficult to believe though that Microsoft would add the 'ApplicationPoolIdentity' feature without considering the impact on .NET applications. – karmasponge Aug 04 '14 at 02:24
  • Should I add an explicit answer than says don't use 'ApplicationPoolIndentity' with .NET apps? – karmasponge Aug 04 '14 at 03:47
  • It appears your instincts are correct. Network Service is not preferred "because services running as Network Service can tamper with other services that run under the same identity" per the following link: (http://www.iis.net/learn/manage/configuring-security/application-pool-identities). – Tony L. Oct 22 '15 at 14:43

11 Answers11

102

This ASP.NET forum answer, unacknowledged in its thread, was the solution for me. It's also low-impact: it doesn't try to re-register IIS or give the user dangerous privileges. To summarize the answer:

  1. Open a Command window as an administrator (Start / Programs / Accessories, then right-click over Command Prompt, then choose "Run as administrator").

  2. Enter the following command:

    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Aspnet_regiis.exe -ga domain\user

Substitute your domain and user for domain\user in the example above. That's all it took.

The Microsoft documentation for Aspnet_regiis.exe is here. Note that the documentation for the -ga switch refers to a bug in versions 3.5 and earlier, where it wouldn't work with local accounts. If I'm reading it correctly, domain accounts are supported for all versions and local accounts are supported starting with Framework 4.0.

Update 6 June 2017: For Windows 8 and above, consider the dism command instead. It's covered in this SO answer. Thanks to @codebrain for suggesting this.

Update 7 July 2015: @Vertigo kindly commented that this answer also worked for the NETWORK SERVICE account in .NET 2.0 under 2008R2/2012, so my disclaimer above about local accounts pre-4.0 may be wrong.

If anyone else finds that this works for a local account under .NET 3.5 or earlier, please feel free to edit my answer or to note it in the comments; it would be a great help to others who may experience this same problem.

Ed Gibbs
  • 25,924
  • 4
  • 46
  • 69
  • 1
    Used the solution to create missing temporary folders for the version 2.0 under 2008R2/2012. Faced no problems with the "NETWORK SERVICE" account (though it is not truly local account). – Vertigo Jul 07 '15 at 10:10
  • Thanks for the update @Vertigo! The documentation was hard for me to follow (it's not really my specialty area) so your comment improves my answer immensely; I truly appreciate it. – Ed Gibbs Jul 08 '15 at 00:50
  • 6
    Be sure to surround the `domain\user` part with quotes if it contains a space, e.g. `... -ga "IIS AppPool\DefaultAppPool"` – Rudey Apr 20 '16 at 13:57
  • 1
    If this doesn't work, try `C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_regiis.exe -ga domain\user` instead. (non 64 bit version) – Rudey Feb 15 '17 at 07:23
  • Thanks @codebrain; excellent suggestion! I found that someone else had already provided an answer, so I linked to their answer instead. – Ed Gibbs Jun 07 '17 at 01:23
  • 1
    Use the principal name `IIS_IUSRS` if it's an IIS app pool that can't write to the temp directory. – O. Jones Apr 13 '20 at 19:31
  • use IIS_IUSRS as the domain name user – Mohammad Abu Hmead Aug 12 '20 at 05:38
12

I faced same problem. I checked the path c:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\ looking for Temporary ASP.NET Files, but there was not any folder by this name. so I created a new folder manually and named it Temporary ASP.NET Files and problem fixed.

So ensure the mentioned path exists.

Behnam
  • 1,039
  • 2
  • 14
  • 39
9

Along with the up voted solutions, Please check your disk space and make sure there is enough disk space available.

I just ran in to this issue on one of our production server and it was related to the low disk space.

Dilish
  • 429
  • 4
  • 11
  • 1
    Wow this was the exact same case that happened to our Production server. Fortunately I was able to find your answer within a few minutes The logs was eating up the disk space – Louie Almeda Feb 10 '19 at 23:15
  • It would be easy to brush this off and not check but after being convinced nothing had changed in terms of the app pool user and security, sure enough my dev machine had 10% left on the drive. – Phil Cooper Apr 27 '21 at 16:31
9

I resolved the error by adding the user the application pool uses to IIS_IUSRS group.

Alocyte
  • 293
  • 4
  • 13
2

We're 2021 now, but ran into this issue as well on a Windows Server 2019.

The error CS0016 was misleading in my case: Giving permissions for ApplicationPool-Identities or similar users on the Temporary ASP.NET Files didn't work and wasn't the actual issue.

After installing a fresh server, Users does not have permission to modify the temp folder in the C:\Windows directory. When .NET needs to write temporary files to the temp folder, an exception occurs because of no permission to write.

Assigning modify permissions for Users to the temp folder under the C:\Windows directory worked for me.

Gigi2m02
  • 1,238
  • 3
  • 17
  • 33
1

Being in the C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319 try running the aspnet_regiis.exe command.

Typically the permissions should be set up. If Windows Add/Remove Programs happen, or if new .NET versions get installed, these things get reset a bit. Running the aspnet_regiis.exe should help there.

Also, ensure you're running Visual Studio as an Administrator.

Raja Nadar
  • 9,409
  • 2
  • 32
  • 41
  • 1
    If I attempt to run 'aspnet_regiis.exe -I' for the v4.0.30319 framework under Windows 8 I get an error message saying that its not supported. See this article: http://www.c-sharpcorner.com/UploadFile/7e39ca/how-to-install-Asp-Net-4-5-in-windows-8/. – karmasponge Apr 01 '14 at 00:03
  • I have setup Visual Studio to always run as 'Administrator' though in this scenario I don't see why that would make any difference (as I'm running under IIS). – karmasponge Apr 01 '14 at 00:05
0

I just ran into this and what I did was to create a new account, lets say its "Webby".

In ISS, go into Advance Settings of your page and change "Physical Path Credentials" to the Webby account. The Path field above that has the webpage directory; open this folder in Explorer and add Webby with Modify permissions. Under "Failed Request Tracing" there's a logs directory; add modify to that too and set "Enabled" to true (you can turn it off later, but make sure it'll work). At this point you can try your site and you should definitely get the error message, because of the user you are using.

The current identity (YOUR\Webby) does not have write access to 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files'.

Now, to fix your problem, you will need to go to the 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files' directory and add Webby to that as well, again Modify works.

The solution of using a special account just for websites is a good idea. It is a real account (not virtual like ApplicationPool) and Windows doesn't get confused (...as easily).

Hope this helps.

Engineer
  • 834
  • 1
  • 13
  • 27
0

In IIS7, I right clicked on the virtual directory, removed the application and added it again. That fixed it for me.

Dave
  • 4,949
  • 6
  • 50
  • 73
0

i resolved it by freeing disk space

Shimon Doodkin
  • 4,310
  • 34
  • 37
0

I have had this problem, and I can resolved it. You only have to give permissions to the folder: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files, for your current user. It's easily.

Good luck!!

Mehdi Daustany
  • 1,018
  • 4
  • 10
  • 23
0

This happened to one of my websites, and the tech support team at my web host resolved it by changing the TEMP directory for ASP.NET using the tempDirectory attribute on the compilation node of my web.config file like this:

<system.web>
  <compilation debug="true" targetFramework="4.6.1" tempDirectory="c:\temp" />
  ...
</system.web>

Please note: The directory must be accessible to the service account, so setting permissions may be part of the solution, but no other answer has referenced this poorly documented tempDirectory web.config attribute.

CZahrobsky
  • 762
  • 7
  • 7