Monday, August 17, 2015

windows server 2008 r2 - IIS 7.5 folder and web site permissions



Situation:




  • test website created in IIS server manager



    • basic settings/connect as: Application user

    • authentication/anonymous authentication/edit: application pool identity


  • physical path has "IIS AppPool\DefaultAppPool" read and execute, list folder contents and read permissions (plus administrators/system with inherited full control)


    • contains a single file, index.html (plus generated web.config with the above settings)





Errors:




  • HTTP Error 500.19 - Internal Server Error

  • Config Error Cannot read configuration file due to insufficient permissions



Questions:





  • how do I make it work with app identity? (got it to work using using iusr both under anonymous auth and with rx permission on the physical folder)

  • am I doing it wrong or this is indeed the best practice as most resources I've found seem to suggest?



I'd also really appreciate any good tutorials on the "basics" of IIS 7.5 - I have been unable to find answers to this specific questions on learn.iis.net and several other sites and generally found the resources available there very fragmented.



Related: IIS 7.5 web site directory permisions, Windows Server 2008 R2 - IIS7.5 - Web site permissions


Answer



If you've created the website using the usual IIS7.5 out-of-the-box defaults then your "test website" will have had an application pool created for it as well.




The default identity that the site will execute requests as is ApplicationPoolIdentity. ApplicationPoolIdentity is a special synthesised account that is created on the fly and represents the identity of your site's application pool.



You state:




physical path has "IIS AppPool\DefaultAppPool" read and execute




This would explain why you're getting the 500.19 error. Unless you assigned the site to the "DefaultAppPool" application pool this permission won't be doing anything useful.




You need to assign the ApplicationPoolIdentity of the site (at least) read and execute permissions. To do this execute the following from the command line:



icacls  /grant "IIS APPPOOL\"(CI)(OI)(M)


Where is the name of the application pool that was created for your test site. You can find its name by executing:



appcmd list app /site.name:""



This will return something like and displays the name of your site's application pool (which ApplicationPoolIdentity is named after:



APP "test site/" (applicationPool:test site)

No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...