stackoom
  简体   繁体   中英

ApplicationPoolIdentity permissions on Temporary Asp.Net files

 原文  2010-06-08 10:36:15       asp.net/ iis/ iis-7.5

Question

at work I am struggling a bit with the following situation: We have a web application that runs on a WIndows Server 2008 64 bits machine. The app's ApplicationPool is running under the ApplicationPoolIdentity and configured for .net 2 and Classic pipeline mode.

This works fine up to the moment that XmlSerialization requires creation of Serializer assemblies where MEF is being used to create a collection of knowntypes.

To remedy this I was hoping that granting the ApplicationPoolIdentity rights to the ASP.Net Temporary Files directory would be enough, but alas...

What I did was the run the following command from a cmd prompt: 

icacls "c:\windows\microsoft.net\framework64\v2.0.50727\Temporary ASP.NET Files" /grant "IIS AppPool\MyAppPool":(M)

Obviously this did not work, otherwise you would not be reading this :)

Strange thing is that whenever I grant the Users or even more specific, the Authenticated Users Group those permissions, it works. What's weird as well (in my eyes) is that before I started granting access the ApplicationPoolIdentity was already a member of IIS_IUSRS which does have Modify rights for the temporary asp files directory.

And now I'm left wondering why this situation requires Modify rights for the Authenticated Users group. I thought it could be because the apppool account was missing additional rights (googling for this returned some results, so I tried those), but granting the ApplicationPoolIdentity modification rights to the Windows\\Temp directory and/or the application directory itself did not fix it.

For now we have a workaround, but I hate that I don't know what is exactly going on here, so I was hoping any of you guys could shed some light on this.

Thanx in advance!

2 answers

solution1
 5 ACCPTED  2010-06-15 03:41:28

If the application pool is running as AppPool Identity then things should work out-of-the box since the worker process will be injected the IIS_IUSRS SID which will have the right permissions to write.

My guess, is that the application must be using Windows authentication and impersonation is enabled in ASP.NET so that code is probably be ran as the specific user that is making the request and not necesarilly the process identity.

Am I right on the guess that the app is running Windows Authentication? and impersonation is enabled in asp.net ?

solution2
 0  2010-06-29 11:52:42

Might not be relevant to you - but if you are running the app pool as a domain user, the rules change on the automatic injection of IIS_IUSRS token into the process at startup. This caught us out recently when moving to .net 4, and not having permission on the new Temporary ASP.net Files directory.

See here for a workaround: http://www.yusufozturk.info/iis7/asp-net-write-access-error-on-iis7-5.html

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question IIS ApplicationPoolIdentity does not have write permission to 'Temporary ASP.NET Files' Does user write permissions to the Temporary ASP.NET Files folder pose any security problems? Unable to access temporary asp.net files Stroring files in Temporary ASP.NET folder Temporary ASP.NET files & TeamCity ASP.NET Schedule deletion of temporary files ASP.NET Temporary files cleanup Question On Temporary ASP.NET Files What is the “Temporary ASP.NET Files” folder for? Temporary ASP.NET Files Missing
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM