Rectangle 27 9

Make sure your application pool identity account on your server has permissions to start that service. It works on your ASP.NET Development Server because it runs under your user account (admin) In a default IIS configuration, this account is Network service or ApplicationPoolIdentity (depending on IIS version) and usually cannot manage services.

So, change the pool account in IIS Manager (Application Pools/NameOfYourYourPool/Advanced Settings). You can use a built-in account or use one of your domain.

c# - System.ComponentModel.Win32Exception: Access is denied Error - St...

c# asp.net iis iis-7 iis-7.5
Rectangle 27 2

If the SQL Server is on a different box than IIS then the identity of the IIS application pool has to be trusted for constrained delegation. See How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0. If the IIS app is running as NETWORK SERVICE or SYSTEM then the IIS machine account has to be trusted for constrained delegation. The linked resource has all the steps to set this up.

If the SQL Server is on the same machine as IIS then there isn't any requirement afaik.

asp.net - Application pool identity in IIS and Integrated security to ...

asp.net iis windows-server-2003 application-pool
Rectangle 27 2

A request comes into your server, it is picked up by http.sys (the kernel part of IIS) it doesn't know what to do with it and asks WAS (Windows activation service), WAS checks the configuration and figures out the web site and application pool to be used for this request. If the pool is not running, it is trying to start it. If it can't start the pool, it reports back to http.sys: "sorry, I tried but I can't start the pool" At this point http.sys has no option but responding that the service for this request is not available.

If you look at the response header of your failed request, you will most likely see a

Server: Microsoft HTTPAPI/2.0

rather than a

Server:Microsoft-IIS/8.5

that means the response comes from http.sys rather than the user mode part of IIS.

%SystemRoot%\System32\LogFiles\HTTPERR

Maybe the request made it into the log file for the site, the http sub-status code next to the 503 may be helpful to know.

Most often, the pool can not be started due to authentication problems. Double check the identity of the pool. Use the security event log or Process Monitor to troubleshoot.

asp.net - In IIS, why app in application pool always stops and IIS ser...

asp.net windows iis
Rectangle 27 3

That articles states (under "Accessing the Network") you still use the <domainname>\<machinename>$ aka machine account in the domain.

So if both servers are in "foobar" domain, and the web box is "bicycle", the login used to the SQL Server Instance is foobar\bicycle$

If you aren't in a domain, then there is no common directory to authenticate against. Use a SQL login with username and password for simplicity

If the domains are trusted then you can use the machien account still (use domain local groups for SQL Server, into which add a global groups etc)

As for using app pool identities, they are local to your web server only as per article. They have no meaning to SQL Server. If you need to differentiate sites, then use proper domain accounts for the App Pools.

You can't have it both ways...

Hi sorry if I was not clear. IIS and DB servers are in different networks/domains (IIS server is in DMZ, while DB server is "inside"). Additionally, I like the app pool identity approach because it allows specifying which identity has access to which database...If I use machine account then every app would I would lose that granularity right?

Sorry, if I understood the articles correctly, the app pool identities are virtual accounts that are "injected" at the time the worker starts for a particular pool (app in my case). If I stop IIS, I am still able to add APP POOL\MyAppAppPool to SQL Server login on my local DB instance (same machine) but not on remote DB server (different machine)...From SQL Server standpoint login does not exist in eiter case but it allows me to create login on local machine but not on remote...

Of course you add it locally because it's the same machine. It has no meaning remotely. So you can't do it. As per article

Ok, let me ask this in another way...Our prod IIS server does not belong to any domain (it is in DMS on an isolated workgroup/different network). Our DB server is on "inside" and belongs to internal company domain. With this setup (without change) is it possible to use windows auth on SQL server to authenticate IIS app pool?

Configuring ASP.NET MVC app's IIS 7.5 Application Pool identity as log...

sql-server asp.net-mvc asp.net-mvc-2 windows-authentication iis-7.5
Rectangle 27 3

You are seeing two things, that are commonly confused in ASP.NET:

  • "user identity" - Authentication of a user account has nothing to do with the account or identity that actually runs under both IIs and ASP.NET. Anonymous authentication allows any user to access any public content without providing a user name and password challenge to the client browser. The anonymous IUSR account that gets authenticated by default in IIS just applies access to public website content. It doesn't affect the processes or resources used by the underlying IIs or ASP.NET services.
  • "application identity" - This is the actual "WindowsIdentity" account on the server that actually runs behind IIS and ASP.NET, which is the Application Pool Identity account assigned to the pool by IIs and given to ASP.NET. Your ASP.NET process runs under this Application Pool Identity account (called a virtual account in IIs version 7.5+) by default.

Explanation: First, "authentication" in ASP.NET is just an event usually setup in the web.config that logs in a given user account which gets passed as a user token by IIs to ASP.NET as a plain HttpContext object... i.e. the current session or context of the current user. It doesn't actually change the WindowsIdentity that's running the ASP.NET process, just passes a user id token to it. Using HttpContext, your code can use that id or name to store database rights to various sections of your website. But it wont affect file access by ASP.NET because it does not affect or change the identity of the actual application "process" account that runs ASP.NET under IIs.

That doesn't happen until you do "Impersonation" which tells ASP.NET to impersonate whatever token gets passed to it by IIs and to then run under that account id. You can set impersonation in your web.config. When you activate impersonation in ASP.NET then the WindowsIdentity does change on the worker process to whatever authenticated account gets passed to ASP.NET from IIS, and you can then access files, based of course on what rights you assign that user account. Its important to note when that occurs its temporary and ASP.NET can revert back to its default process identity which is in current IIs versions again the Application Pool Identity account assigned to a given App Pool.

When IIs just uses the plain anonymous user account with no explicit authentication set in ASP.NET, IIs starts up by default the website's assigned Application Pool's Application Pool Identity account and passes it to ASP.NET and the worker process running it. That Application Pool identity account processes all requests for IIS and runs ASP.NET for that site.

When IIs starts under this setup and is accessed by a user, it actually authenticates behind the scenes by default the anonymous IUSR account which determines access to web pages and other basic resources. But that account is NOT passed to ASP.NET. And it doesnt affect the Application Pool Identity IIS runs and which ASP.NET runs under.

If you set Impersonate to "true" in say your web.config, AND you are using the default anonymous IUSR account in IIs for public access, AND you set to true explicitly the anonymousAuthentication property in the web.config (instead of using a Windows or other login account), IIs will toss out the Application Pool Identity and IIs and ASP.NET will both now run their application processes as the anonymous IUSR authenticated and impersonated account.

When you do that ASP.NET and its processes will now be running under the IUSR account .... i.e. the applications process of ASP.NET will run its WindowsIdentity account as the IUSR account. You can now apply read/write access to that anonymous IUSR account and to the folders you want that account to access. (Note: be sure however to add the default process account, the Application Pool account for the pool, rights as well to those folders. That is according to Microsoft's recommendation)

iis iis-7.5
Rectangle 27 2

I think I was able to resolve this issue. It turns out that our proxy server seems to have been the issue. I had the Application pool that was running this site in IIS configured to use NetworkServices as the Application Pool Identity. I changed the Identity to run as myself to see if the problem was resolved and it was. It's obviously not recommended to have a site run as a user account, so I will be requesting our IT team to create a domain account for this site, that also has access through our proxy servers.

I hope that helps someone else having the same problem.

Thanks this did the trick for me! :)

Hey Gineer! even I am facing the same issue. Can you please enlighten what difference does changing the identity made. Any reason that changing the identity will make it work. Does ur identity has some additional privileges. Didn't understand how proxy change has to do anything with the identity provider.

asp.net mvc - DotNetOpenAuth...CreatRequest breaks on server (Works on...

asp.net-mvc dotnetopenauth
Rectangle 27 1

On Windows Server 2008 R2 with IIS 7.5 you need to execute Windows Explorer run as Administrator by right clicking it to get admin privileges to modify anything in that folder. Add the application pool identity to the ACL of the c:\inetpub\wwwroot... folder with read and execute permissions.

iis 7 - IIS 7.5/ASP.NET - Anonymous access to everything except one di...

asp.net iis-7 ntfs iis-7.5
Rectangle 27 2

Cassini runs your website as your own user identity when you start up the Visual Studio application. IIS runs your website as an App Pool Identity. Unless the App Pool Identity is granted access to the Database, you get errors.

IIS introduced App Pool Identity to improve security. You can run websites under the default App Pool Identity, or Create a new App Pool with its own name, or Create a new App Pool with its own name that runs under a User Account (usually Domain Account).

In networked situations (that are not in Azure) you can make a new App Pool run under an Active Directory Domain user account; I prefer this over the machine account. Doing so gives granular security and granular access to network resources, including databases. Each website runs on a different App Pool (and each of those runs under its own Domain User account).

Continue to use Windows Integrated Security in all Connection Strings. In SQL Server, add the Domain users as logins and grant permissions to databases, tables, SP etc. on a per website basis. E.g. DB1 used by Website1 has a login for User1 because Website1 runs on an App Pool as User1.

One challenge with deploying from the Visual Studio built-in DB (e.g. LocalDB) and built-in Web Server to a production environment derives from the fact that the developer's user SID and its ACLs are not to be used in a secure production environment. Microsoft provides tools for deployment. But pity the poor developer who is accustomed to everything just working out of the box in the new easy VS IDE with localDB and localWebServer, because these tools will be hard to use for that developer, especially for such a developer lacking SysAdmin and DBAdmin support or their specialized knowledge. Nonetheless deploying to Azure is easier than the enterprise network situation mentioned above.

c# - Login failed for user 'IIS APPPOOL\ASP.NET v4.0' - Stack Overflow

c# asp.net iis-7 web-config
Rectangle 27 2

Cassini runs your website as your own user identity when you start up the Visual Studio application. IIS runs your website as an App Pool Identity. Unless the App Pool Identity is granted access to the Database, you get errors.

IIS introduced App Pool Identity to improve security. You can run websites under the default App Pool Identity, or Create a new App Pool with its own name, or Create a new App Pool with its own name that runs under a User Account (usually Domain Account).

In networked situations (that are not in Azure) you can make a new App Pool run under an Active Directory Domain user account; I prefer this over the machine account. Doing so gives granular security and granular access to network resources, including databases. Each website runs on a different App Pool (and each of those runs under its own Domain User account).

Continue to use Windows Integrated Security in all Connection Strings. In SQL Server, add the Domain users as logins and grant permissions to databases, tables, SP etc. on a per website basis. E.g. DB1 used by Website1 has a login for User1 because Website1 runs on an App Pool as User1.

One challenge with deploying from the Visual Studio built-in DB (e.g. LocalDB) and built-in Web Server to a production environment derives from the fact that the developer's user SID and its ACLs are not to be used in a secure production environment. Microsoft provides tools for deployment. But pity the poor developer who is accustomed to everything just working out of the box in the new easy VS IDE with localDB and localWebServer, because these tools will be hard to use for that developer, especially for such a developer lacking SysAdmin and DBAdmin support or their specialized knowledge. Nonetheless deploying to Azure is easier than the enterprise network situation mentioned above.

c# - Login failed for user 'IIS APPPOOL\ASP.NET v4.0' - Stack Overflow

c# asp.net iis-7 web-config
Rectangle 27 6

We were also fighting with this issue, and started setting up security groups so we could give our users file level permissions. Then one of our server admins stumbled across a couple of new properties that allow the app to authenticate to the file system under set credentials, and resolved the need for the users to have access. Here is what he came up with

There are two IIS settings that control this:

By default, Physical Path Credentials is set to Application User (Pass-through authentication). This means that IIS doesnt do any impersonation when handling Windows Authentication requests. This can, however, be set to a specific user (though not, unfortunately, the application pool identity, which would be ideal). Physical Path Credentials Logon Type is set by default to Clear-Text. For my testing I set this to Interactive (though this may not be the correct value). Possible values are Clear-Text, Batch, Interactive, and Network.

  • Created a local account (IIS-AccessUser)
  • Granted IIS-AccessUser read and execute access to the /home directory of the site.
  • Set IIS-AccessUser as the Physical Path Credentials

Doing the above allowed me to log in to the application directly, without having to allow Authenticated Users, or me having to be a member of any of the groups in the /home folder. It also still preserved .NET Authorization roles, so I still could not access parts of the site that I was not allowed to.

Thanks, this is good. Too much setup for me so I now ensure AuthenticatedUsers have access, but if one really cared about ensuring users couldn't access the files via windows explorer this would be the way forward.

@DZx I have never seen the config screen myself, but I suspect that our admin was lamenting that there was no simple option to say "use app pool identity". However, I am not aware of anything to keep you from keying the same credential into both places.

asp.net - Does an IIS 7.5 web app with windows authentication require ...

asp.net iis iis-7.5 windows-authentication
Rectangle 27 6

We were also fighting with this issue, and started setting up security groups so we could give our users file level permissions. Then one of our server admins stumbled across a couple of new properties that allow the app to authenticate to the file system under set credentials, and resolved the need for the users to have access. Here is what he came up with

There are two IIS settings that control this:

By default, Physical Path Credentials is set to Application User (Pass-through authentication). This means that IIS doesnt do any impersonation when handling Windows Authentication requests. This can, however, be set to a specific user (though not, unfortunately, the application pool identity, which would be ideal). Physical Path Credentials Logon Type is set by default to Clear-Text. For my testing I set this to Interactive (though this may not be the correct value). Possible values are Clear-Text, Batch, Interactive, and Network.

  • Created a local account (IIS-AccessUser)
  • Granted IIS-AccessUser read and execute access to the /home directory of the site.
  • Set IIS-AccessUser as the Physical Path Credentials

Doing the above allowed me to log in to the application directly, without having to allow Authenticated Users, or me having to be a member of any of the groups in the /home folder. It also still preserved .NET Authorization roles, so I still could not access parts of the site that I was not allowed to.

Thanks, this is good. Too much setup for me so I now ensure AuthenticatedUsers have access, but if one really cared about ensuring users couldn't access the files via windows explorer this would be the way forward.

@DZx I have never seen the config screen myself, but I suspect that our admin was lamenting that there was no simple option to say "use app pool identity". However, I am not aware of anything to keep you from keying the same credential into both places.

asp.net - Does an IIS 7.5 web app with windows authentication require ...

asp.net iis iis-7.5 windows-authentication
Rectangle 27 1

To solve this one, our server administrator created a domain user in the domain controller called domainuser. Then I went into the IIS 7 application pool advanced settings, and changed the Identity from ApplicationPoolUser to "{domain name}\domainuser" (under the Custom Account field) and entered the password for the account. Then I set write permissions (under the folder properties > security) on that shared folder for {domain name}\domainuser. It worked great.

the disadvantage of your answer is that you are not using ApplicationPoolIdentity user and that you have to enter password.

This is not a fix for the problem described, more of a workaround to the original problem.

Actually, using a service account that can be locked down and dedicated to one narrow purpose is the more secure option because it reduces the attack surface area. Using the machineaccount$ for access means that any process running under the networkservice account (like other websites on that server) will also gain rights on that network resource. But yes, password management can be the downside.

iis 7 - ApplicationPoolIdentity user cannot modify files in shared fol...

iis-7 permissions folder shared
Rectangle 27 1

To solve this one, our server administrator created a domain user in the domain controller called domainuser. Then I went into the IIS 7 application pool advanced settings, and changed the Identity from ApplicationPoolUser to "{domain name}\domainuser" (under the Custom Account field) and entered the password for the account. Then I set write permissions (under the folder properties > security) on that shared folder for {domain name}\domainuser. It worked great.

the disadvantage of your answer is that you are not using ApplicationPoolIdentity user and that you have to enter password.

This is not a fix for the problem described, more of a workaround to the original problem.

Actually, using a service account that can be locked down and dedicated to one narrow purpose is the more secure option because it reduces the attack surface area. Using the machineaccount$ for access means that any process running under the networkservice account (like other websites on that server) will also gain rights on that network resource. But yes, password management can be the downside.

iis 7 - ApplicationPoolIdentity user cannot modify files in shared fol...

iis-7 permissions folder shared
Rectangle 27 0

I had this same problem on my Windows 2008 R2 server. I did not have custom 401 error pages. I did use aliased server names (via DNS CNAME records and host header entries on the IIS bindings). I registered the SPNs for Kerberos as suggested, but that did not solve the problem. I resolved it by disabling "Kernel Mode Authentication" (click on the server in the IIS tree -> double-click on Authentication under the IIS group -> click on Windows Authentication -> click on Advanced Settings on the Actions pane -> Uncheck the checkbox -> click OK -> run iisreset). The information on that dialog box recommends against disabling Kernel Mode Authentication when using non-standard service accounts for the application pool identity, but that didn't apply to us since we're using the standard ApplicationPoolIdentity identity.

Most Strange IIS Windows Authentication behavior - Stack Overflow

iis windows-authentication
Rectangle 27 0

I was also suffering from same problem but there is so small solution for it just go in iis server than to application pool from which you application is running and in advance setting of application pool we will get the option of Process Model under which there is identity which is by default application pool identity just change it to Local System and your done

And Remember to Put App_Data Folder their in WWW folder of IIS server

Neeraj, what does it matter if site is in WWW or some other folder on server?

.net - How to deploy ASP.NET MVC 4 application using localDB to local ...

asp.net .net iis windows-7 localdb
Rectangle 27 0

You need to get the IIS Authentication -> Anonymous Authentication -> "Anonymous user identity" to match up to the file directory permissions. This is to allow the DNN code to execute within your file system. The recommended setting is to use "Application pool identity" to limit your IIS server/web site into other parts of your server environment.

From IIS management console or the wwwroot\yourDNNinstalllocation folder set the permissions to "IIS AppPool\ApplicationPoolName" to MODIFY. Note: the windows permission will require the Location to be "your-IIS-Server-or-PC-name" rather than any Domain location.

If you did want a domain role and integrated SQL Security on your database server, then you would need to

  • create a domain\user e.g. "yourDomain\dnn_yourCustomer" then

dotnetnuke - DNN or IIS 401 Unauthorized error and some failed attempt...

iis dotnetnuke http-status-code-401
Rectangle 27 0

Make sure your application pool identity account on your server has permissions to start that service. It works on your ASP.NET Development Server because it runs under your user account (admin) In a default IIS configuration, this account is Network service or ApplicationPoolIdentity (depending on IIS version) and usually cannot manage services.

So, change the pool account in IIS Manager (Application Pools/NameOfYourYourPool/Advanced Settings). You can use a built-in account or use one of your domain.

c# - System.ComponentModel.Win32Exception: Access is denied Error - St...

c# asp.net iis iis-7 iis-7.5
Rectangle 27 0

IIS introduces a new security feature in Service Pack 2 (SP2) of Windows Server 2008 and Windows Vista. It's called Application Pool Identities. Application Pool Identities allow you to run Application Pools under a unique account without having to create and manage domain or local accounts. The name of the Application Pool account corresponds to the name of the Application Pool.

Here's a good explanation of what happens:

In Windows 7, IIS application pool isolation was taken yet to a different level. The new change introduced in IIS7 (Windows Server 2008) was a new option to run your application pool as AppPoolIdentiy. However, the default for an application pool identity in IIS7 remained the same NetworkService. In IIS7.5, AppPoolIdentiy becomes a default. Thus, scripts previously expecting permissions for their application pool identity to be set to NT Service\NetworkService will now have to set permissions (ACLs) for IIS AppPool\ the user account created for each new application pool.

asp.net - How to give Folder Permission for IIS User in C#? - Stack Ov...

c# asp.net iis folder-permissions
Rectangle 27 0

We ended up making the user an administrator and that worked. That's probably too broad for sufficient security rights. We'll keep looking. But it does show that the issue was somehow related to user roles rather than a password issue.

asp.net - IIS application pool identity not allowing the server to sta...

asp.net iis iis-7
Rectangle 27 0

We were also fighting with this issue, and started setting up security groups so we could give our users file level permissions. Then one of our server admins stumbled across a couple of new properties that allow the app to authenticate to the file system under set credentials, and resolved the need for the users to have access. Here is what he came up with

There are two IIS settings that control this:

By default, Physical Path Credentials is set to Application User (Pass-through authentication). This means that IIS doesnt do any impersonation when handling Windows Authentication requests. This can, however, be set to a specific user (though not, unfortunately, the application pool identity, which would be ideal). Physical Path Credentials Logon Type is set by default to Clear-Text. For my testing I set this to Interactive (though this may not be the correct value). Possible values are Clear-Text, Batch, Interactive, and Network.

  • Created a local account (IIS-AccessUser)
  • Granted IIS-AccessUser read and execute access to the /home directory of the site.
  • Set IIS-AccessUser as the Physical Path Credentials

Doing the above allowed me to log in to the application directly, without having to allow Authenticated Users, or me having to be a member of any of the groups in the /home folder. It also still preserved .NET Authorization roles, so I still could not access parts of the site that I was not allowed to.

iis 7.5 - ASP.NET MVC 3 Intranet site on IIS7.5 w Windows Authenticati...

asp.net-mvc-3 iis-7.5 windows-authentication acl http-status-code-401