9

In the vein of this question.

Other questions have touched on this, but let's get a complete answer down:

  1. What specific permissions are necessary for a generic IIS 7 site with a domain user as the app pool identity?

  2. What specific permissions are necessary for an ASP.NET IIS 7 site with a domain user as the app pool identity?

  3. Are there any tricks/shortcuts to applying these permissions?
sh-beta
  • 6,756
  • 7
  • 46
  • 65

1 Answers1

11

If you set your website's anonymous authentication settings to use the app pool identity then you only need to grant the app pool identity access, unless you have a section of the site that doesn't use anonymous authentication, in which case you need to also grant the authenticated users access. I recommend that configuration. It's refreshing to not have to manage an app pool identity account plus an anonymous account.

If you aren't writing to disk, just list/read is all that is needed. If you need to write anything to disk then you'll need to grant write permissions too.

For #3, if it's just 1 server, you can do it from IIS Manager and NTFS permissions. If you plan to script this for multiple servers, let us know and we can provide further details.

Scott Forsyth
  • 16,339
  • 3
  • 36
  • 55
  • Thanks for the answer Scott. Are you saying that all you have to do for IIS 7 is add the user as the APP Pool ID? There's no "Logon as service" or similar requirements? Granting it access to the metabase or anything else that aspnet_regiis -ga does for IIS 6? – sh-beta Jan 08 '10 at 19:52
  • Nope, not anymore. With IIS6 you had to add to the IIS_WPG group, which took care of all of those permissions, but with IIS7, the identity user is automatically added to the IIS_WPG group in real-time. So, just add the user to the app pool settings, grant it access to disk and you'll be set. – Scott Forsyth Jan 09 '10 at 16:09
  • @Scott Forsyth: I did that (created a user, even added it to IIS_USERS, gave permissions on the folder, and set the app pool), and I'm getting security exceptions. When I set the app-pool to NetworkService everything works, but I want each of the sites hosted on the server with an isolated user account. Any idea? IIS7.5 btw – Ken Egozi May 10 '10 at 15:29
  • 3
    Ken, the best isolation is to give each site their own app pool, then grant permissions for the app pool. If you use ApplicationPoolIdentity, you can assign the app pool permissions on disk. The user looks like this: IIS AppPool\{apppool name}. http://learn.iis.net/page.aspx/624/application-pool-identities/. – Scott Forsyth May 13 '10 at 03:12
  • The identity of application pool APP is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon... – Triynko Jan 27 '11 at 17:20
  • If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. – Triynko Jan 27 '11 at 17:31
  • I found that the IIS_IUSRS group was listed in the local policy as having permission to "Log on as batch job". I added the user account to that group, and now the app pool starts successfully. This all happened because I decided to create a user for a third party developer to log into our server. I gave their account server login rights, database login rights, file access, created an app pool, gave IIS 7 remote management rights, and then set the account as the app pool identity. That BATCH LOGON thing was the only other thing I needed for it to be used successfully as an app pool identity. – Triynko Jan 27 '11 at 17:34
  • Additional, as per the error message states, I had to change the identity (to the same account, haha), and retype the password. That fixed it for me. so @KEN, after adding to the IIS_IUSRS group, you probably have to reset the identity by reassigning the same account to the app pool and retyping the password. – Triynko Jan 27 '11 at 17:37