0

So far all the Googling on this has talked about domain users, or running the process on the machine locally, neither of which is a fit for me.

I'm running a process our build/deployment server (a Cake build script running on Team City, or locally on my machine) that deploys a wep application to IIS on a remote server. As part of this I need to set the permissions on the directory it deploys to so that IIS can see and run the application. My issue is that the virtual account (IIS AppPool\MyAppPool) that is created cannot be seen from the Team City server, so I cannot set the permission. I get an exception:

System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.

So, is there any way to set the file permission of a folder on the Web Server from a Team City server or my local machine to permit access through a virtual IIS AppPool account? (Since I'm using Cake Build, any solutions in C# would be ideal, but I can launch other processes if absolutely necessary)

Uwe Keim
  • 39,551
  • 56
  • 175
  • 291
Colin Mackay
  • 18,736
  • 7
  • 61
  • 88
  • 1
    You can create a power shell or batch script which can create IIS directory, map to physical location and also provide necessary permission to IIS user and execute as a step in team city https://www.trycatchfail.com/2008/12/05/setting-directory-permissions-with-windows-powershell/ – Shetty Feb 26 '18 at 09:59
  • Ensure the powershell runs on the local machine not on the cake server as the IIS user is local to that machine. You may need to use Powershell remoting to achieve this. – Liam Feb 26 '18 at 10:00
  • @Liam To reiterate, I cannot run the process on the Web Server (powershell or otherwise) – Colin Mackay Feb 26 '18 at 10:01
  • You don't need to, powershell remoting allows you to execute a powershell script on the server that remotes to another server. If you don't do this you can't interact with the IIS user at all. It's a local user account on that server, i.e. use `Enter-PSSession Server01` – Liam Feb 26 '18 at 10:02
  • https://learn.microsoft.com/en-us/powershell/scripting/core-powershell/running-remote-commands?view=powershell-6 – Liam Feb 26 '18 at 10:03
  • 1
    @Liam That looks promising as it worked at a PS prompt, although New-PSSession appears to be what is needed in a script. :) – Colin Mackay Feb 26 '18 at 10:29
  • See [Setting folder permissions using Web Deploy](http://davidsonsousa.net/en/post/setting-folder-permissions-using-web-deploy). Web Deploy can be run from your script and will take care of the mundane details of file locking, permissions, etc. Without using Web Deploy for this you are reinventing the wheel. – NightOwl888 Feb 26 '18 at 16:44

1 Answers1

0

Going by some of the comments to the question, I came up with this as my final solution:

function Add-RemoteAcl
(
    [string]$computerName,
    [string]$directory,
    [string]$user,
    [string]$permission
)
{
    $session = New-PSSession -ComputerName $computerName;
    Invoke-Command -Session $session -Args $directory, $user, $permission -ScriptBlock {
        param([string]$directory,[string]$user,[string]$permission)
        $acl = Get-Acl $directory;
        $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($user, $permission, "ContainerInherit, ObjectInherit", "None", "Allow");
        if ($accessRule -eq $null){
            Throw "Unable to create the Access Rule giving $permission permission to $user on $directory";
        }
        $acl.AddAccessRule($accessRule)
        Set-Acl -aclobject $acl $directory
    };
    Remove-PSSession $session;
}
Colin Mackay
  • 18,736
  • 7
  • 61
  • 88