I have two ASP.NET applications, configured to have a read/write access to a shared NAS location that they use as a simple key-value file store.
The NAS location is mapped locally to each application by using NTFS directory junctions, like this:
C:\inetpub\App1\Content\files
C:\inetpub\App2\Content\files
The idea behind this is to have an app-relative path that is independent of the underlying storage solution.
It worked great until I configured each app to use dedicated AppPools. Now, the files generated by one app aren't readable by the other.
Upon examination of the security attributes on the files generated by both apps, I noticed that all newly generated files from either app exhibit the following anomaly:
- IIS_IUSRS account is given NONE of the permissions to the file
- the implicit IIS AppPool\App# account is given ALL permissions.
Since each app runs under its own IIS AppPool\App# account, this effectively prevents them from reading any files except those they generated themselves.
The actual code that creates files is identical in both apps and doesn't do anything special other than:
- creating a new subdirectory under the shared root and giving it a unique name
- creating a file in this subdirectory by means of .NET's
System.IO.FileStreamobject, using all the default parameters.
What puzzles me is the fact that IIS_IUSRS is included among accounts with access, yet lacks all basic permissions, even though the parent and root folders are configured to include Read and Write permissions on "This folder, subfolders, and files".
What did I miss and how do I solve it?
