Permissions required to use Microsoft.Web.Administration

Question

I'm trying to use IIS 7 management API but stuck with a security issue. My application is regular ASP.NET site running on .NET 4 (integrated pipeline). The machine is Windows 7 x64 (the app pool is default, running under ApplicationPoolIdentity, x64). The site uses the following settings:

    <identity impersonate="true" />
    <authentication mode="Windows" />
    <customErrors mode="Off" />
    <authorization>
        <deny users="?" />
    </authorization>

My site tries to read other site's details via IIS management API (at localhost). I'm logged in as a member of local Administrators. In IE i try to open my page but get this:

Site 'mysite' at 'myhost' is unknown.System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) 
at Microsoft.Web.Administration.Interop.IAppHostProperty.get_Value() 
at Microsoft.Web.Administration.ConfigurationElement.GetPropertyValue(IAppHostProperty property) 
at Microsoft.Web.Administration.Site.get_State() 

I don't understand why. I'm damn sure the code runs in impersonation context of my account (can see this is debugger watching System.Threading.Thread.CurrentPrincipal ). What am i doing wrong?

ps

UAC is on, but i believe that's not important. Checked NTFS permissions on C:\\Windows\\system32\\inetsrv\\config folder - full access for Administrators.

Answer 1

UAC is indeed the root of all evil. Impersonation behavior is broken when it's on. Something is really over-complicated here :(

When UAC is enabled and the current security context is impersonated, the principal reports he's not a member of local Administrators group. But he is. It has something to do with interactive/non-interactive sessions.

Answer 2

尝试将临时目录设置为 web.config 到具有完全权限的文件夹。

<compilation tempDirectory="c:\temp" ... ></compilation>