In the iis setting, change the anonymous access account from iuser to the app pool
IIS ApplicationPoolIdentity account access denied
Hi
I have an IIS 10 Application pool called FooAppPool that's configured to use ApplicationPoolIdentity.
I have a site running under that pool and have assigned "IIS APPPOOL\FooAppPool" full permissions to a "Downloads" sub-directory of that site.
When I try to write to this directory I receive access denied errors.
Running procmon I can see the write request flagged as "ACCESS DENIED", the user is "IIS APPPOOL\FooAppPool" as expected.
If I grant Everyone permissions to the directory everything works as expected so its not an issue with the path or code.
I added auditing to the folder and can see the write request's Audit Failure event:
Security ID: NT AUTHORITY\IUSR
Account Name: IUSR
Access Reasons:
READ_CONTROL: Unknown or unchecked
SYNCHRONIZE: Unknown or unchecked
ReadData (or ListDirectory): Unknown or unchecked
WriteData (or AddFile): Not granted
I note that the account is reported as IUSR, granting that account permissions on Downloads fixes the problem.
Does anyone know why "IIS APPPOOL\FooAppPool" is not working on its own?
Windows development | Internet Information Services
Developer technologies | ASP.NET | Other
-
Bruce (SqlWork.com) 77,766 Reputation points Volunteer Moderator
2022-01-16T22:21:23.303+00:00
1 additional answer
Sort by: Most helpful
-
Sam Wu-MSFT 7,561 Reputation points Microsoft External Staff
2022-01-17T03:19:13.15+00:00 First of all you can refer to this link to make sure there is no mistake in setting the folder permissions.
How to set folder permissions for a site that uses ApplicationPoolIdentity.
If it still doesn't work, you can try setting your application pool Identity in iis:
- Open the iis.
- Explore the Application Pool section
- Selct the app pool of your website, then choose the Advance Settings.
- Choose Identity section and change the Buil-in account to Network Services, alternatively you can choose to provide your custom account which could be the Admin User.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.