Blog‎ > ‎

Resource Permissions for IIS Applications

posted Mar 23, 2011, 12:16 PM by Jeremy Walker
If you haven't noticed by now, I'm building a WCF Web Service that will be run in IIS 7.5. The service needs to save files to a folder outside of the Application's home directory. However, by default, the security account that IIS runs the service with does not have any privileges to any resources outside of Application's home folder. IIS 7.5, by default, creates virtual user accounts (that don't show up as regular users) to run worker processes for its Application Pools. The virtual account is named after the Application Pool that uses it. For example: the DefaultAppPool in IIS 7.5 runs as 'IIS AppPool\DefaultAppPool'. If you had an Application Pool named 'MyAppPool', the account name would be 'IIS AppPool\MyAppPool'. The virtual account is specific to the computer that runs the instance of IIS. So when you are choosing a user account to grant privileges make sure you have the Location set to the computer that is running IIS.

Note: If the security tab, GUI-way, of granting the permissions does not work, use the icacls.exe to do it.

This is all true as long as the Identity in the Application Pool is set to 'ApplicationPoolIdentity'. Otherwise IIS will run the worker processes as the identity specified.

More here.