0

I created a local "testsite" in IIS version 10.0.17763.1

When I tested settings:

Authentication - success

Authorization - cannot verify access path, with error message:

"The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that \$ has Read access to the physical path. Then test these settings again."

I tried to grant access to mypcname$ , but get an error message:

"An object named "mypcname$" cannot be found. Check the selected object types and location for accuracy and ensure that you typed the object name correctly, or remove this object from the selection."

What should I do?

I do understand I need to add identifier with access, the questions are:

  1. Which identifier (as mypcname$ didn't work)
  2. to which files

Waiting for help,

Efrat

Efrat Nakash
  • 1
  • 1
  • 2

2 Answers2

1

You cannot authenticate to network locations unless your AppPool is running under the NetworkService identity or using an AD (service) Account. If you are trying to authenticate to local resources on the Web Server then that will change who your AppPool identity is and which account you grant access.

Which account you grant access depends on what Identity you are using to run your AppPool.

Network Resource:

AppPool identity should be NetworkService (at a minimum), or an AD Service Account (preferably a Managed Service Account or Group Managed Service Account). If you use the NetworkService then the computer object needs to be trusted for delegation. If you use a Service Account then that account needs to be trusted for delegation. Without these settings in place the account will not be able to impersonate the connected user to the remote resource. In order to enable delegation the account needs to have the appropriate Service Principal Name (SPN) defined (HTTP/[fqdn of website]). Once the SPN is configured you can enable/configure delegation.

If you are using NetworkService then you need to change the security object type to include Computers and change the location to search your AD Domain.

security object type

Then search for your computer name again, mypcname$

If you are using a service account then you will also need to change the security object type to include Service Accounts (sometimes computers depending on the version of windows and your AD domain) and change the location to search your AD Domain. Search for your service account name, myserviceaccount$.

Don't forget to grant these permissions on both the NTFS level and the share access level.

Local Resource:

You can still use an AD service account to run your AppPool, but it's not required. In this case you can just use ApplicationPoolIdentity. When using the ApplicationPoolIdentity you would grant the 'IIS AppPool[AppPoolName]' account on the local machine access to the resource. Replace [AppPoolName] with the name of your application pool.

Tim Liston
  • 736
  • 3
  • 8
0

Solution was simple:

I Grant access to the testsite folder to IUSR and computername\IIS_IUSRS, I Deleted web.config, And now it works

Thanks for you attention

Efrat Nakash
  • 1
  • 1
  • 2