I need to set permissions on logs folder for created IIS Application Pool. The code to set permissions:
<CreateFolder Directory="SiteLogsFolder">
<util:PermissionEx User="Everyone" Read="yes" GenericRead="yes"/>
<util:PermissionEx User="[IisSiteUser]" GenericRead="yes" GenericWrite="yes" GenericExecute="yes" Delete="yes" DeleteChild="yes"/>
</CreateFolder>
<CustomAction Id="SetIis6SiteUser" Property="IisSiteUser" Value="NT AUTHORITY\NetworkService"/>
<CustomAction Id="SetIis7SiteUser" Property="IisSiteUser" Value="IIS AppPool\[SITE_APP_POOL]"/>
<InstallExecuteSequence>
<Custom Action="SetIis7SiteUser" Before="InstallInitialize">IISMAJORVERSION>="#7"</Custom>
<Custom Action="SetIis6SiteUser" Before="InstallInitialize">IISMAJORVERSION="#6"</Custom>
</InstallExecuteSequence>
This works fine for IIS 6 on Windows Server 2003, but fails for IIS 7.5 on Windows Server 2008. I get the error:
ExecSecureObjects: Error 0x80070534: failed to get sid for account: IIS AppPool\MyAppPool
Investigation details:
Click the Locations button and make sure that you select your computer. Enter IIS AppPool\<myappoolname> (eg: IIS AppPool\PK Protect) in the Enter the object names to select: text box. Click the Check Names button and click OK. Check Modify under the Allow column, and click OK, and OK.
I had this problem when I was building my WIX project as x86. I solved it by scheduling SchedSecureObjects and ExecSecureObjects before ConfigureIIs.
<Custom Action="SchedSecureObjects" After="ConfigureIIs" />
<Custom Action="ExecSecureObjects" After="ConfigureIIs" />
The problem came up again when I started building the project as x64. This time I had to schedule the 64 bit actions before ConfigureIIs as well.
<Custom Action="SchedSecureObjects_x64" After="ConfigureIIs" />
<Custom Action="ExecSecureObjects_64" After="ConfigureIIs" />
<Custom Action="SchedSecureObjects" After="ConfigureIIs" />
<Custom Action="ExecSecureObjects" After="ConfigureIIs" />
Testing on Server 2012, I confirmed that there can be a delay before the account becomes available. Using the following script, I repro'd a failure to find in 3 of about 30 attempts. It seems that we will need a delay between creation of the app pool and looking up the SID. In my test, it never took more than 1s.
param ($id)
if (!$id) {write-host "specify an id"; return}
c:\windows\system32\inetsrv\appcmd add apppool /name:$id /managedRuntimeVersion:"v4.0" /managedPipelineMode:"Integrated"
$objUser = New-Object System.Security.Principal.NTAccount("IIS APPPOOL\$id")
$sid=""
while (!$sid)
{
$sid = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
if (!$sid) {write-host "$id not found"} else {$sid}
sleep 1
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With