3

I am trying to understand IIS file permissions. A given file has "full control" permissions for IIS_IUSRS. But it seems all Application Pool Identity users cannot access the file. (I have noticed that some of my Application Pool Identity users were not members of IIS_IUSRS for some reason, so I simply added them manually.)

When a given Application Pool Identity is a member of IIS_IUSRS, how can it be that the Application Pool Identity user cannot access the file if IIS_IUSRS can access it? Please see my screenshots below. Thank you.

IIS_IUSRS has "Full Control."

IIS_IUSRS also has "Full Control" under "Effective Permissions," but a given Application Pool Identity user has no permissions under "Effective Permissions."

user1325179
  • 153
  • 2
  • 6

1 Answers1

7

When using anonymous authentication by default IIS uses a specific user named IUSR to access files. This user is automatically a member of the Windows Users but not a member of IIS_IUSRS

If you removed permissions for Users from your files, the default site setup wont work anymore.

I usually don't use IUSR, to change this in the GUI, select the server or site node and open the Authentication icon, select Anonymous Authentication and the Edit in the Actions pane on the right:

Anonymous Authentication settings in IIS

change from a specific user to Application pool identity, now the file access is done via this account and it should be able to access your files.

You can do the same in PowerShell:

For the whole server:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/authentication/anonymousAuthentication" -name "userName" -value ""

For a specific site:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location 'SiteName' -filter "system.webServer/security/authentication/anonymousAuthentication" -name "userName" -value ""

I wrote a bit about this in a blog post

Peter Hahndorf
  • 14,058
  • 3
  • 41
  • 58
  • Thank you, but I'm interested in fixing the permissions issue first please. Why can IIS_IUSRS access the file, but the Application Pool Identity user can't? Please see my second screenshot. – user1325179 Jun 01 '16 at 16:46
  • @user1325179 - I would just say the `effective access` tool doesn't always work for special accounts like `IIS APPPOOL\*`, because additional security tokens are inserted into the process at runtime. Just see whether you still have a problem after changing the anonymousAuthentication identity. – Peter Hahndorf Jun 01 '16 at 19:28
  • @PeterHandorf, no, that didn't work. ASP.NET still reports that access is denied. Thank you though. – user1325179 Jun 01 '16 at 21:27
  • @user1325179 - Assuming you have a 401.3, I would use `Failed Request Tracing` to look closer into it. Look for events: `MODULE_SET_RESPONSE_ERROR_STATUS`, and ` FILE_CACHE_ACCESS_START`. – Peter Hahndorf Jun 02 '16 at 06:32
  • @PeterHandorf, I'm not getting a 401.3 error. Again, thank you anyway. – user1325179 Jun 02 '16 at 16:03