An IIS website is run via an Application Pool which has its Identity advanced property set to ApplicationPoolIdentity. The website runs PHP scripts via a FastCGI handler. These scripts try to write to a file but the access is denied even the application pool user has enough permission. I have run ProcMon and it shows that the scripts are trying to open the files using IUSR instead of the application pool user.
- Website example.com
- Basic Settings - Application Pool = example.com
- Basic Settings - Connect As = Application user (pass-through authentication)
- Application Pool example.com
- Advanced Settings - Process Model - Identity - ApplicationPoolIdentity
- Script tries to write to a file
- C:\ABC\test.txt
- The directory C:\ABC has permission
- IIS APPPOOL\example.com - Full control, Type Allow, Applies to This folder, subfolders and files
When I open the scripts url, I get
PHP Warning: fopen(C:\ABC\test.txt): failed to open stream: Permission denied
When I run Sysinternal's ProcMon I see:
- Event
- Operation CreateFile
- Result Access Denied
- Path C:\ABC
- Desired Access: Read Data/List Directory, Syncchronize
- ShareMode: Read, Write, Delete
- Impersonating: NT AUTHORITY\IUSR
- Process
- Path …\php-cgi.exe
- User: IIS APPPOOL\example.com
How to fix it so the file is accessed using the example.com user?
