IIS ApplicationPoolIdentity account access denied

Alex Keene 21 Reputation points
2022-01-16T21:45:21.77+00:00

Hi

I have an IIS 10 Application pool called FooAppPool that's configured to use ApplicationPoolIdentity.

I have a site running under that pool and have assigned "IIS APPPOOL\FooAppPool" full permissions to a "Downloads" sub-directory of that site.

When I try to write to this directory I receive access denied errors.

Running procmon I can see the write request flagged as "ACCESS DENIED", the user is "IIS APPPOOL\FooAppPool" as expected.

If I grant Everyone permissions to the directory everything works as expected so its not an issue with the path or code.

I added auditing to the folder and can see the write request's Audit Failure event:

Security ID: NT AUTHORITY\IUSR
Account Name: IUSR

Access Reasons:
READ_CONTROL: Unknown or unchecked
SYNCHRONIZE: Unknown or unchecked
ReadData (or ListDirectory): Unknown or unchecked
WriteData (or AddFile): Not granted

I note that the account is reported as IUSR, granting that account permissions on Downloads fixes the problem.

Does anyone know why "IIS APPPOOL\FooAppPool" is not working on its own?

165398-fgqwy.png

Windows development | Internet Information Services
Developer technologies | ASP.NET | Other
0 comments No comments
{count} votes

Accepted answer
  1. Bruce (SqlWork.com) 77,766 Reputation points Volunteer Moderator
    2022-01-16T22:21:23.303+00:00

    In the iis setting, change the anonymous access account from iuser to the app pool

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Sam Wu-MSFT 7,561 Reputation points Microsoft External Staff
    2022-01-17T03:19:13.15+00:00

    @Alex Keene

    First of all you can refer to this link to make sure there is no mistake in setting the folder permissions.

    How to set folder permissions for a site that uses ApplicationPoolIdentity.

    If it still doesn't work, you can try setting your application pool Identity in iis:

    1. Open the iis.
    2. Explore the Application Pool section
    3. Selct the app pool of your website, then choose the Advance Settings.
    4. Choose Identity section and change the Buil-in account to Network Services, alternatively you can choose to provide your custom account which could be the Admin User.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.