3

I have an ASP.Net MVC3 application that has been running fine in the default Application Pool on my IIS 6 server.

I need to get it running under its own service account, so I created a new Application Pool and moved the application into it. With default settings the application continued to work fine.

I set a custom Identity on the application pool, and the application now just gives me the "Directory Listing Denied" error.

I tried switching the identity back to Network Service, and the application started working again.

What could be preventing the application from running with the custom Identity? It's like ASP.Net is not even starting up.

I've run aspnet_regiis -ga <domain\username> and added the account to the IIS_WPG group, so the identity account should have access to ASP.Net.

More Info

I've been doing some diagnostics with Process Monitor and it shows that aspnet_isapi.dll is not being loaded with the custom identity.

When the identity is "Network Service" I can see aspnet_isapi.dll being loaded followed by webengine4.dll. This happens immediately after the NTLM authentication occurs.

With the custom identity, the NTLM authentication happens and then the w3wp process just starts looking for the default files (Default.aspx, Default.htm, etc).

I've checked, and the account has access to the framework version folder where these DLLs are stored.

Andrew Cooper
  • 32,176
  • 5
  • 81
  • 116
  • Maybe you did this already, but sometimes the "Directory Listing Denied" error happens when you have the option "Verify that file exists" active on your mapping configuration (Application/Properties/Directory/Configuration/Mappings, go to Insert then browse to where your aspnet_isapi.dll is, selected and finally uncheck "Verify that file exists", ok...) – Gabe Thorns Dec 17 '12 at 13:08
  • @GabeThorns - Thanks. This led me in the right direction. See my answer. – Andrew Cooper Dec 17 '12 at 22:28
  • it's nice to help, glad you solved your problem! – Gabe Thorns Dec 18 '12 at 12:30

5 Answers5

1

you need to give the user that you are specifying in the custom identity explicit read or read/write at the folder level of you application. Right click on the containing folder then "Properties" and add the user with the permissions required by the app to the security tab.

viperguynaz
  • 12,044
  • 4
  • 30
  • 41
  • Doesn't help. The account is a member of the IIS_WPG group which has ReadExecute permissions on the application folder. Just to be sure I also explicitly gave the account ReadExecute permissions on the folder with no change in behaviour. – Andrew Cooper Dec 17 '12 at 03:56
1

Turns out I needed a wildcard mapping to aspnet.isapi.dll, though I'm not sure why.

Without the custom identity the application works fine without a wildcard mapping. With the custom identity I need the mapping. On another server the custom identity work fine without a mapping. Weird.

Andrew Cooper
  • 32,176
  • 5
  • 81
  • 116
  • I know this is old, but any chance you can enlighten us on how to create a wildcard mapping to aspnet.isapi.dll? – Aaron Jun 29 '16 at 15:45
0

Did you already check Directory browse settings?

http://www.iis.net/configreference/system.webserver/directorybrowse

phil soady
  • 11,043
  • 5
  • 50
  • 95
0

Now that you are using a different user then the default one, make sure that you have set the Anonymous Authentication to use the app pool user. There could also be something related to what @Gabe Thorns mentioned, it might be an issue with wildcard mappings. If you do not have wildcard mappings set to run the asp process then it will try and look for files, avoiding asp processors.

Hope that helps.

Connor Ross
  • 345
  • 2
  • 13
0

Have you explicitly granted permissions to the application pool identity on the application folder?

The account should be something like IIS AppPool\MyAppPoolName

enter image description here

More info on this can be found here: http://www.iis.net/learn/manage/configuring-security/application-pool-identities

Ulises
  • 13,229
  • 5
  • 34
  • 50