Best IT Recipes

How to grant ASP.NET permission to write to a folder in Windows 7?

I have a new Win7 workstation and am trying to run the ScrewTurn Wiki on a machine. My STW installation uses a file system option to store its data, and therefore I need to provide write permissions for the ASP.NET workflow in the folder on which the website is installed.

HOWEVER, I don't seem to be able to come up with a workflow name in Win7 to add it to the permissions for this folder. In XP, it was ASPNET_WP, if I remember correctly, but that is not his name in Win7.

Can someone tell me?

Edited to add:

In response to @Dragan_Radivojevic, here is what the application pool (named ScrewTurnWiki) looks like:

IIS7 Application Pools

Identity is "ApplicationPoolIdentity"

+43
Feb 01 '13 at 19:37
source share
3 answers

Granting write permissions to all IIS_USRS groups is a bad security idea. You do not need to do this, and you can only grant permissions to the system user running the application pool.

If you are using II7 (and I suppose you do), follow these steps.

  • Open IIS7
  • Select the site for which you need to change permissions.
  • Go to the "Basic Settings" and find out which application pool you are using.
  • Go to application pools and find the application pool from # 3
  • Find the system account used to run this application pool (identifier column)
  • Go to the storage folder in IIS, select it and click "Allow Edits" (in the "Actions" submenu on the right).
  • Click the Security tab and add the necessary permissions only for the user you specified in # 3

Note # 1: if you see ApplicationPoolIdentity at # 3, you need to refer to this system user, like this IIS AppPool {application_pool_name}. For example, IIS AppPool \ DefaultAppPool

Note # 2: When adding this user, remember to set the correct locations in the "Select Users or Groups" dialog box. This needs to be installed on the local computer because it is a local account.

+104
Feb 01 '13 at 19:59
source share

I know this is an old thread, but to further expand the answer here, by default, IIS 7.5 creates application pool identification accounts to start the workflow. You cannot search for these accounts, such as regular user accounts, when adding file permissions. To add them to the NTFS permissions ACL, you can enter the fully qualified name of the application pool identifier and it will work.

This is just a small difference in how the application pool identifier accounts are processed, as they are considered virtual accounts.

Also, the application pool identifier username is "IIS AppPool \ application pool name", so if it is the DefaultAppPool application pool, the user account will be "IIS AppPool \ DefaultAppPool".

You can see this if you open Computer Management and look at the members of the local IIS_IUSRS group. The SID added at the end is not needed when adding an account to the NTFS permission ACL.

Hope that helps

+28
Nov 15 '13 at 17:32
source share

My immediate solution (since I could not find the ASP.NET workflow) was to grant write permission (i.e. Change) to IIS_IUSRS. It worked. I seem to remember that in WinXP I had to specifically give written permission to the ASP.NET workflow for this. Maybe my memory is faulty, but in any case ...

@DraganRadivojevic wrote that he believes this is a security hazard. I do not agree, but since it was my workstation, not a network server, it looked relatively safe. In any case, his answer is better, and this is what I finally stopped after pursuing the path of failure due to the fact that I did not specify the correct domain for the AppPool user.

+13
Feb 01 '13 at 19:46
source share


More articles:


All Articles