1

I'm making my first foray into setting up an ASP.NET MVC 3 application on IIS 8.5 and Windows Server 2012 R2. This application uses Active Directory & Windows authentication for permission management. On IIS 6, I had to give the machine ASP.NET (on the server) Modify permissions to my log folder so it could write to it. Currently, I don't see an ASP.NET machine account on this system. I've given modify permissions to the NETWORK SERVICE account on the machine, but the application doesn't seem to be writting out to the log file. Mind you this is a local log file; it is not part of IIS.

I'm sure the solution is probably some simple switch I need to flip, but I've been tracking this for hours and am not sure what's up. Does anyone have any thoughts?

I've made sure the following server roles and features are installed:

Application Development

  • .Net Extensibility 3.5
  • List item
  • Net Extensibility 4.5
  • Application Initialization
  • ASP
  • ASP.NET 3.5
  • ASP.NET 4.5
  • ISAPI EXTENSIONS
  • .NET Framework 3.5 Features
  • .NET Framework 4.5 Features
    • ASP.NET 4.5
    • WCF Services

Server Roles - Security

  • Basic Authentication
  • URL Authorization
  • Windows Authentication
jason
  • 113
  • 1
  • 1
  • 4

2 Answers2

3

IIS 7+ uses a group called IIS_IUSRS that is built in, unlike the IIS6 users/groups that were added by IIS's installation. This allows ACL's to be transferable between servers.

If you are using an AppPool with a custom account, add it to the IIS_IUSRS group. If you are using the default accounts, ACL your folders using the IIS_IUSRS group.

Christopher_G_Lewis
  • 3,685
  • 22
  • 27
0

from the official documentation

IIS 7 and above also makes the process of configuring an application pool identity and making all necessary changes easier. When IIS starts a worker process, it needs to create a token that the process will use. When this token is created, IIS automatically adds the IIS_IUSRS membership to the worker processes token at runtime. The accounts that run as 'application pool identities' no longer need to be an explicit part of the IIS_IUSRS group. This change helps you to set up your systems with fewer obstacles and makes your overall experience more favorable.

therefore looks like that just ACL the IIS_IUSRS group is enough without the need to add the actual identity that runs the AppPool to the group itself

Mosè Bottacini
  • 101
  • 1