Update: The original question was for Windows Server 2008, but the solution is easier for Windows Server 2008 R2 and Windows Server 2012 (and Windows 7 and 8). You can add the user through the NTFS UI by typing it in directly. The name is in the format of IIS APPPOOL\{app pool name}. For example: IIS APPPOOL\DefaultAppPool.
IIS APPPOOL\{app pool name}
Note: Per comments below, there are two things to be aware of:
- Enter the string directly into the "Select User or Group" and not in the search field.
- In a domain environment you need to set the Location to your local computer first.
Reference to Microsoft Docs article: Application Pool Identities > Securing Resources
Original response: (for Windows Server 2008) This is a great feature, but as you mentioned it's not fully implemented yet. You can add the app pool identity from the command prompt with something like icacls, then you can manage it from the GUI. For example, run something like this from the command prompt:
icacls c:\inetpub\wwwroot /grant "IIS APPPOOL\DefaultAppPool":(OI)(CI)(RX)
Then, in Windows Explorer, go to the wwwroot folder and edit the security permissions. You will see what looks like a group (the group icon) called DefaultAppPool. You can now edit the permissions.
However, you don't need to use this at all. It's a bonus that you can use if you want. You can use the old way of creating a custom user per app pool and assigning the custom user to disk. That has full UI support.
This SID injection method is nice because it allows you to use a single user but fully isolate each site from each other without having to create unique users for each app pool. Pretty impressive, and it will be even better with UI support.
Note: If you are unable to find the application pool user, check to see if the Windows service called Application Host Helper Service is running. It's the service that maps application pool users to Windows accounts.
First of all, "impersonation" is the term applied only inside the same machine, if your network share (or IIS, or virtual dir, or MS SQL Server, etc.) is on another computer then it is delegation and you should configure it between computers (read SPN, Service Principal Name).
Are your network share on the same or on the different computer?
Then, it is not "double hop" since you do not pass-through original identity of your webapp user but use fixed impersonation in web.config.
I hope it is not in production? This, putting credentials in web.config, is EVIL, EVIL, EVIL, do not ever do this, just don't!
BTW, you can reach the same result without fixed impersonation in web.config by running your webapp in custom application pool under your domain user, cf. [1]. This is more easy, configurable and reliable.
I could have tried to write you instructions for all possible cases since the exact context is blurred in your post but it would have ended up in unreadable dozens-page article.
OK, I started writing:
Disable "Anonymous access" and enable "Basic authentication" in IIS (properties of website)
Change
<authentication mode="None" />
to
<authentication mode="Windows" />
in web.config
Disable "Use simple file sharing" in Windows Explorer --> menu Tools ---> Folder Options... ---> tab View
Give permissions for username on network share
Make sure that NTLM is enabled on all involved interacting computers
Plz read and follow instructions in [2].
I could not find the description of the same quality for IIS7/W2006 but I strongly believe what you need did not change.
If you would have any further questions or problems, post more specific questions.
----- Cited:
[1]
How To: Create a Service Account for an ASP.NET 2.0 Application
http://msdn.microsoft.com/en-us/library/ms998297.aspx
[2]
How To: Use Impersonation and Delegation in ASP.NET 2.0
http://msdn.microsoft.com/en-us/library/ff647404.aspx
Best Answer
I had a similar problem where I need access to a network share and solved it using the following steps:
1) Create an account with the same username and password on front end server and file server. Make sure that the password does not expire or must be changed.
2) Create a Network Share and give the new account read/write rights. I also tested that I could connect from the front end servers using the new account to verify that no firewalls are in the way.
3) On the front end server, I included the account in the IIS_IUSRS group that indirectly gives it Logon as Batch Job rights.
4) Run the following command to grant rights to the account
See more: How To: Create a Service Account for an ASP.NET 2.0 Application (MSDN)
5) Restarted WAS and IIS to make sure the changes to the accounts group membership takes hold if tried to use the account.
6) Create an Application Pool and set the Identity in Advanced Settings.
This is the part where I got stuck on IIS 8 on Windows Server 2012 with error messages when trying to set the identity.
From IIS Manager I got the following error dialog: "There was an error while performing this operation. Details: Value does not fall within the expected range."
Trying to set the App Pool identity from the command line I receive a similar error:
When I remove the last parameter, password, the command will succeed changing identity type and setting the username but I did never figure out why I could not set the password so I retorted to editing my applicationHost.config file directly. Unfortunately with the the password ending up in clear text.
7) Finally I set my Web Application to use the application pool and it could access the Network Share without any issues.