Grant Permission to DefaultAppPool Identity

After upgrading web applications to IIS 7.5 on Windows Server 2008 R2, you might get following error.

Access to the path ‘d:sitecache.txt’ is denied.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.UnauthorizedAccessException: Access to the path ‘d:sitecache.txt’ is denied.
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}ASPNET on IIS 5 or Network Service on IIS 6) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate=”true”/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
To grant ASP.NET access to a file, right-click the file in Explorer, choose “Properties” and select the Security tab. Click “Add” to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.

This is because in IIS6, application pools run under Network Service account, but in IIS7.5, there is a new feature called Application Pool Identities which lets you run application pools under a unique account without having to create and manage domain or local accounts.

image

So you need to assign permission to this new account as you previous did for Network Service identity used in IIS6:

  1. Select a file or directory that you want to grant permission on.
  2. Right-click on the file name, and then click Properties
  3. Click the Security tab
  4. Click Edit, and then click Add
  5. Click Locations, and select your computer
  6. In the Enter the object names to select text box, type IIS AppPoolDefaultAppPool
  7. Click Check Names, and then click OK

Now DefaultAppPool identity is allowed to access the file or directory you selected.

image

You can also do this in command line with the Icacls.exe tool. The following example gives full access to the DefaultAppPool identity:

icacls test.txt /grant "IIS AppPoolDefaultAppPool":F

Comments

7,168 responses to “Grant Permission to DefaultAppPool Identity”

Leave a Reply