Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

IIS 8 401.3 with ACL and static content

I'm having a problem with IIS and ACL's.

I have configured an MVC application under a dedicated AppPool. The apppool runs under the ApplicationPoolIdentity (which in my case would be the user IIS AppPool\accountinfo.local = the same name as my website).

I gave full control to this user on the root folder and made sure that the permissions are inherited.

When I access the home page it runs fine and I can access it. However, when I try to access my static content, which is in a subfolder (Content/Site.css) I get an error 401.3.

I have made sure that permissions are inherited and if I go to effective permissions I can see that this user does have full control.

I have enabled failed request tracing and also security auditing but I don't get any log files, nor any events in the event viewer.

What am I missing here?

like image 745
Kenneth Avatar asked May 04 '13 22:05

Kenneth


2 Answers

OK, I got it.

Apparently requests for static content don't go through the applicationIdentity but through the standard IUSR account.

Once I gave this user read permissions on the folder, it started working.

Learnt something new today.

like image 164
Kenneth Avatar answered Oct 26 '22 22:10

Kenneth


When using anonymous authentication in IIS, static content is accessed (and served) by the "Anonymous user identity." By default, this is set to the specific built-in user account "IUSR" - thus why granting permissions for that user fixes the problem (as mentioned in Kenneth's excellent answer).

If you prefer not to use the IUSR account for whatever reason, you can change the "Anonymous user identity" for the web site in IIS by doing the following:

  1. Go to the site in IIS and double click "Authentication" in the feature pane

screenshot of IIS feature pane with authentication highlighted

  1. Right-click "Anonymous Authentication" and select "Application pool identity" to use your app pool identity (or you can set a different specific user than IUSR by clicking the "Set" button)

screenshot of edit anonymous authentication credentials dialog

The process is also documented in this Microsoft Docs article:

Build a Static Website on IIS - Step 3: Configure Anonymous Authentication

I'll reproduce one significant reason you may choose to change the anonymous authentication identity, which is called out in that article:

If you use the IUSR account, you grant anonymous users all the internal network access associated with that account.

like image 34
Josh Darnell Avatar answered Oct 26 '22 21:10

Josh Darnell