Menu
I'm having a problem with IIS and ACL's.
I have configured an MVC application under a dedicated AppPool. The apppool runs under the ApplicationPoolIdentity (which in my case would be the user IIS AppPool\accountinfo.local = the same name as my website).
I gave full control to this user on the root folder and made sure that the permissions are inherited.
When I access the home page it runs fine and I can access it. However, when I try to access my static content, which is in a subfolder (Content/Site.css) I get an error 401.3.
I have made sure that permissions are inherited and if I go to effective permissions I can see that this user does have full control.
I have enabled failed request tracing and also security auditing but I don't get any log files, nor any events in the event viewer.
What am I missing here?
745
OK, I got it.
Apparently requests for static content don't go through the applicationIdentity but through the standard IUSR account.
Once I gave this user read permissions on the folder, it started working.
Learnt something new today.
164
When using anonymous authentication in IIS, static content is accessed (and served) by the "Anonymous user identity." By default, this is set to the specific built-in user account "IUSR" - thus why granting permissions for that user fixes the problem (as mentioned in Kenneth's excellent answer).
If you prefer not to use the IUSR account for whatever reason, you can change the "Anonymous user identity" for the web site in IIS by doing the following:
The process is also documented in this Microsoft Docs article:
Build a Static Website on IIS - Step 3: Configure Anonymous Authentication
I'll reproduce one significant reason you may choose to change the anonymous authentication identity, which is called out in that article:
If you use the IUSR account, you grant anonymous users all the internal network access associated with that account.
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
