Run node.js server with IIS: strange permission behavior

Question

I have a simple node.js application running on localhost:3000, printing "Hello world".

When I start it from command line, everything works fine.

But when I start it with IIS (choosing "Browse website" in IIS manager), it gives following error:

iisnode encountered an error when processing the request.
HRESULT: 0x2
HTTP status: 500
HTTP subStatus: 1002
HTTP reason: Internal Server Error
You are receiving this HTTP 200 response because system.webServer/iisnode/@devErrorsEnabled configuration setting is 'true'.

In addition to the log of stdout and stderr of the node.exe process, consider using debugging and ETW traces to further diagnose the problem.

The last 64k of the output generated by the node.exe process to stderr is shown below:

Application has thrown an uncaught exception and is terminated:
Error: EPERM: operation not permitted, lstat ...

From several questions here on StackOverflow, I found this is a permission problem. So I granted full permission to the user of the site (following suggestions here and here), with no success, same error.

But when I change the Application Pool Identity from ApplicationPoolIdentity to LocalSystem, it works.

My problem is, this was just a try and I don't understand why it works. I'm confused about that and worried this is not the correct way to go. Can someone help me? Or maybe explain why this works?

Answer 1

This is a permission issue. The default identity of apppool is “ApplicationPoolidentity”, which is a virtual user created when the application pool is created and has few permissions. The localsystem has the highest authority.

Generally, Node.js starts listening on port 3000 through the command line, and IIS will reverse proxy the request to port 3000 and print “Hello World”. But your description is start it with IIS. I guess what you mean is to start node.js through IIS, that is, start node.js from app pool. App pool needs high authority to start local services, and the identity must be “local system”.

If you are worried about security issues, it is best to start node.js through the command line and proxy the request to port 3000. Through the test, even if the application pool identity is “ApplicationPoolIdentity”, it can work.