Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Permission set for newly created IIS AppPool Identity

I need to set permissions on logs folder for created IIS Application Pool. The code to set permissions:

<CreateFolder Directory="SiteLogsFolder">
    <util:PermissionEx User="Everyone" Read="yes" GenericRead="yes"/>
    <util:PermissionEx User="[IisSiteUser]" GenericRead="yes" GenericWrite="yes" GenericExecute="yes" Delete="yes" DeleteChild="yes"/>
</CreateFolder>

<CustomAction Id="SetIis6SiteUser" Property="IisSiteUser" Value="NT AUTHORITY\NetworkService"/>
<CustomAction Id="SetIis7SiteUser" Property="IisSiteUser" Value="IIS AppPool\[SITE_APP_POOL]"/>

<InstallExecuteSequence>
  <Custom Action="SetIis7SiteUser" Before="InstallInitialize">IISMAJORVERSION>="#7"</Custom>
  <Custom Action="SetIis6SiteUser" Before="InstallInitialize">IISMAJORVERSION="#6"</Custom>
</InstallExecuteSequence>

This works fine for IIS 6 on Windows Server 2003, but fails for IIS 7.5 on Windows Server 2008. I get the error:

ExecSecureObjects:  Error 0x80070534: failed to get sid for account: IIS AppPool\MyAppPool

Investigation details:

  • I tried also "IIS APPPOOL" domain - same result.
  • Also tried setting both Domain and User properties of PermissionEx element instead of merging them in User attribute. Again same error.
  • Using active directory accounts in PermissionEx works fine. Also active directory account works fine with IIS site pool when set.
  • If I try to set permissions for another AppPool (not the creating by my installer one, for example IIS AppPool\DefaultAppPool), again all works fine. The problem occurs only when I set permissions for AppPool, that is created by my installer.
  • I checked sequencing of the ConfigureIIs, SchedSecureObjects and ExecSecureObjects and tried to force ConfigureIIs execute before the two others (it was recommended in this thread). Unfortunately that didn't help as well.
like image 846
Sasha Avatar asked Dec 14 '12 16:12

Sasha


People also ask

How do I give permission to IIS AppPool?

Click the Locations button and make sure that you select your computer. Enter IIS AppPool\<myappoolname> (eg: IIS AppPool\PK Protect) in the Enter the object names to select: text box. Click the Check Names button and click OK. Check Modify under the Allow column, and click OK, and OK.


2 Answers

I had this problem when I was building my WIX project as x86. I solved it by scheduling SchedSecureObjects and ExecSecureObjects before ConfigureIIs.

<Custom Action="SchedSecureObjects" After="ConfigureIIs" />
<Custom Action="ExecSecureObjects" After="ConfigureIIs" />

The problem came up again when I started building the project as x64. This time I had to schedule the 64 bit actions before ConfigureIIs as well.

<Custom Action="SchedSecureObjects_x64" After="ConfigureIIs" />
<Custom Action="ExecSecureObjects_64" After="ConfigureIIs" />
<Custom Action="SchedSecureObjects" After="ConfigureIIs" />
<Custom Action="ExecSecureObjects" After="ConfigureIIs" />
like image 182
RodgerTheGreat Avatar answered Oct 24 '22 10:10

RodgerTheGreat


Testing on Server 2012, I confirmed that there can be a delay before the account becomes available. Using the following script, I repro'd a failure to find in 3 of about 30 attempts. It seems that we will need a delay between creation of the app pool and looking up the SID. In my test, it never took more than 1s.

param ($id)
if (!$id) {write-host "specify an id"; return}
c:\windows\system32\inetsrv\appcmd add apppool /name:$id /managedRuntimeVersion:"v4.0" /managedPipelineMode:"Integrated"
$objUser = New-Object System.Security.Principal.NTAccount("IIS APPPOOL\$id")
$sid=""
while (!$sid)
{
  $sid = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
  if (!$sid) {write-host "$id not found"} else {$sid}
  sleep 1
}
like image 38
Elroy Flynn Avatar answered Oct 24 '22 09:10

Elroy Flynn