IIS AppPool Identities - IIS 8 permissions issues


Recently I have experienced some strange permission issues when setting up IIS 8 on Windows Server 2012. It occurred that on the default setting all AD users can log in into the hosted website even if they are not explicitly listed in the file system permissions. After long troubleshooting process I have finally managed to fix the above issue anyway using the new IIS feature - AppPool Identities.

The server used in the following scenario was called BLINFS01 and my account, that appears in the pictures, was called Tytus Kurek. I am not sure whether the described issue is a bug or not, but it is definitely something odd and I could not find any explanation when looking for a solution on the Microsoft sites and forums.

Initial Setup

After installing IIS 8 from Server Manager I have performed the following steps:

1) I created a regular directory on a separate drive that was going to be hosted by IIS. The directory automatically inherited permissions as shown on the attached picture:

where Special permissions for BLINFS01\Users group were:
  • Create files / write data
  • Create folders / append data
2) I created a regular site in IIS Manager hosting the directory. Then in site configuration window I enabled Windows Authentication and disabled Anonymous Authentication that had been enabled by default as shown on the attached picture:

After completing the above steps I restarted IIS service and I was able to successfully login into my website using my regular AD credentials.

That was great, but shortly it was revealed that anyone in the domain can log in into the website too. If you carefully had a look on the picture provided in point 1 then you might probably notice that there's not way for that. The only domain account that's listed in the permissions lap is my account.

I found Effective Access lap very useful in the troubleshooting process. It allows you to test permissions for any user and shows the results. Soon I found that after removing permissions for BLINFS01\Users group the only domain user that's allowed to access the directory is me. But how? Those are local users only, not the domain ones. Anyway I decided to test it. I tried logging in into the website back, but unfortunately, this time I got the following error message in my browser:

Either I was allowing any domain users or I was blocking everyone. It looks like I faced an impasse.


After half of a day of troubleshooting I have finally fixed the above issue by applying the solutions described in the following article. It occurred that prior to IIS 7.5 a new feature has been added that is called AppPool Identities that for each of the Application Pools there is a unique account in the system that holds all the required permissions to host the website.

I removed the permissions for BLINFS01\Users group then and added the same permissions for IIS AppPool\BLINFS01 user instead as shown on the attached picture:

After pressing Check Names button the account name has been converted as shown on the attached picture:

After applying the above permissions I was able to successfully log in into my website and moreover, no other domain user was able to. I find IIS AppPool Identities and the permissions associated with them very useful however I regret that they are so purely documented. Hope that the above article will help some of the wandered sysadmins that are experiencing the same issues.

No comments:

Post a Comment