273

In IIS 7 on Windows Server 2008, application pools can be run as the "ApplicationPoolIdentity" account instead of the NetworkService account.

How do I assign permissions to this "ApplicationPoolIdentity" account. It does not appear as a local user on the machine. It does not appear as a group anywhere. Nothing remotely like it appears anywhere. When I browse for local users, groups, and built-in accounts, it does not appear in the list, nor does anything similar appear in the list. What is going on?

I'm not the only one with this problem: see Trouble with ApplicationPoolIdentity in IIS 7.5 + Windows 7 for an example.


"This is unfortunately a limitation of the object picker on Windows Server 2008/Windows Vista - as several people have discovered it already, you can still manipulate the ACL for the app-pool identity using command line tools like icacls."

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
Triynko
  • 3,408
  • 6
  • 30
  • 30

6 Answers6

301

Update: The original question was for Windows Server 2008, but the solution is easier for Windows Server 2008 R2 and Windows Server 2012 (and Windows 7 and 8). You can add the user through the NTFS UI by typing it in directly. The name is in the format of IIS APPPOOL\{app pool name}. For example: IIS APPPOOL\DefaultAppPool.

IIS APPPOOL\{app pool name}

Note: Per comments below, there are two things to be aware of:

  • Enter the string directly into the "Select User or Group" and not in the search field.
  • In a domain environment you need to set the Location to your local computer first.

Reference to Microsoft Docs article: Application Pool Identities > Securing Resources

Original response: (for Windows Server 2008) This is a great feature, but as you mentioned it's not fully implemented yet. You can add the app pool identity from the command prompt with something like icacls, then you can manage it from the GUI. For example, run something like this from the command prompt:

icacls c:\inetpub\wwwroot /grant "IIS APPPOOL\DefaultAppPool":(OI)(CI)(RX)

Then, in Windows Explorer, go to the wwwroot folder and edit the security permissions. You will see what looks like a group (the group icon) called DefaultAppPool. You can now edit the permissions.

However, you don't need to use this at all. It's a bonus that you can use if you want. You can use the old way of creating a custom user per app pool and assigning the custom user to disk. That has full UI support.

This SID injection method is nice because it allows you to use a single user but fully isolate each site from each other without having to create unique users for each app pool. Pretty impressive, and it will be even better with UI support.

Note: If you are unable to find the application pool user, check to see if the Windows service called Application Host Helper Service is running. It's the service that maps application pool users to Windows accounts.

JohnC
  • 2,504
  • 3
  • 12
  • 15
Scott Forsyth
  • 16,339
  • 3
  • 36
  • 55
  • Thanks for the explanation. Half-implementions stated to be such, are far less irritating, because their odd behavior is explainable. Clearly there is a separate account with a unique SID for each app-pool, and they seem to be managed by the system, but I don't know how. I'm wondering if the NTFS is going to get cluttered as application pools are added, assigned permissions, and later removed while using these types of system-managed accounts. It seems too unstable. – Triynko Nov 04 '09 at 18:17
  • 1
    It is kind of an odd beast since it's not like a group where the user lives in a group, and it's not like a computer account vs. a user account which are completely different from each other. The app pool account 'overlaps' the app pool identity user. For example, you can have 5 app pools using Network Service and 5 others using custom accounts, but they are 10 different system managed app pool accounts. The advantages are noticed with the c:\inetpub\temp\appPools folder where it's managed automatically and locks the system cleanly. IIS leverages them well. Our use on folders is optional. – Scott Forsyth Nov 04 '09 at 23:12
  • 29
    Note that if you enter "IIS APPPOOL\DefaultAppPool" directly into the "Select User or Group" (instead of searching for it) when editing permissions, it will be recognized just fine (tested on Win7 x64 and Win2k8 R2 x64). – Milan Gardian Apr 07 '10 at 17:18
  • 5
    You're correct for Win7 and Win2k8 R2. It wasn't implemented in Win2k8 RTM, but is in R2. – Scott Forsyth Apr 17 '10 at 12:38
  • In SqlServer2008, IIS APPPOOL\DefaultAppPool is recognized, but when I want to create the user, I get an exception saying the DefaultAppPool is not found... – Lieven Cardoen Sep 17 '10 at 07:24
  • You don't need to create the user. It's done automatically (It's called a 'virtual account' actually). So the user exists, now you can assign to wherever you want. – Scott Forsyth Sep 20 '10 at 19:00
  • http://learn.iis.net/page.aspx/624/application-pool-identities/ – Eric Labashosky Oct 24 '10 at 22:07
  • Upvote for the last para about 2k8 R2 - exactly what I needed. – Murph Nov 09 '10 at 11:12
  • I wish I could up vote this a thousand times - one for each time I use this reference. Adding it to my favorites will have to do. – Jason Sep 16 '11 at 21:01
  • Isn't suffice to set permissions to IIS_IUSRS? – motobói Feb 07 '12 at 18:40
  • @motobói That opens some security concerns and sharing between all sites. It's possible but not preferred. – Scott Forsyth Feb 09 '12 at 05:52
  • @Scott, can you help me with this question? http://serverfault.com/questions/429996/cannot-find-iis-apppool-application-pool-name-user-account-in-windows-server – MacGyver Sep 19 '12 at 19:31
  • 9
    Finally got this - if you type the app pool name directly like @Milan Gardian says above *and* change the location field to the local machine then it works – Ciarán Bruen Jun 14 '13 at 10:49
  • @ciaran Bruen. You're right, that is required often in a domain environment. I'll make a note of it in the post above. Thanks for mentioning. – Scott Forsyth Jun 24 '13 at 22:11
  • 4
    Thank you so much for the 'two things to be aware of'. I was stumbling on both of these, and this was a clear and simple explanation of the problems and how to achieve what I needed to. It's just a shame none of the MSDN documentation was this clear. – Ian Grainger Nov 14 '13 at 11:00
  • Thank you @Ciaren. The key is having the local computer selected. – Neil Monroe Mar 25 '14 at 20:47
  • Would you mind emphasising the **set the Location to your local computer** bit? I've found that bit easy to miss, and sometimes I forget to do it and don't know what the problem is. – Sam Jul 02 '15 at 02:53
  • Hi @Sam. Sure, I updated to make it more clear. – Scott Forsyth Jul 19 '15 at 21:26
24

You have to make sure that the From this location field is set to the local machine and not the domain.

I had the same issue and once I changed that it worked fine.

Ward - Reinstate Monica
  • 12,788
  • 28
  • 44
  • 59
Alan
  • 241
  • 2
  • 2
4

You should really be creating groups per "role" and assigning that group accesses on the filesystem. Then add the app pool to the role-specific groups as necessary. This way even if you remove the app pool later (and the virtual user goes poof), you dont have to worry about redoing all the permissions, you just add the replacement app pool to the existing group.

Jimbo
  • 41
  • 1
3

After reading @Scott Forsyth - MVP answer I tried to restart the Application Host Helper Service. That solved the problem for me.

Roger
  • 151
  • 3
0

I was running WS8 R2 and I could not add IIS APPPOOL\DefaultAppPool via Windows Explorer. The only way it worked was via command line:

cacls [FILE PATH] /T /E /G "IIS APPPOOL\DefaultAppPool":C

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
  • 2
    Strangely, I had to do "IIS AppPool\DefaultAppPool" for it to be accepted. Notice the mixed case - all uppercase, as I did the first time, wasn't accepted from the GUI. – Jeff McJunkin May 19 '15 at 19:58
0

If this question is about how to execute _sp_send_dbmail in msdb database (using the SQL send Database Mail stored procedure in msdb), here is some work around. Add the .net application user name of your database (which is define on your connection string in your .net app) to the msdb user with "DatabaseMailUserRole" role membership