So, let me put the disclaimer in first: I wouldn't typically piggy-back IIS on a domain controller, but that's what I've got and I can't change that in this instance.
I've got a WCF web service I need to host here. I'd like to be able to use an application pool identity from IIS to grant filesystem permissions as well as Launch and Activation Permissions in component services. I'm not able to find the account when I browse for it by trying to select "IIS AppPool\DefaultAppPool".
Does anyone know if this is even possible on a 2008R2 domain controller?
Best Answer
Granting permissions to Application Pool Identity's via the UI on Windows 2008R2 can be a bit prone to not working now and again, but can be achieved using a couple of command line tools.
NTFS Permissions:
Use the
ICACLS
command line tool to set NTFS permissions:The above configures the
DefaultAppPool
identity to have Modify permissions onc:\wwwroot
with File and Folder inheritance. In the UI it looks like:and under the permissions Advanced UI:
DCOM Launch and Activation and Access Permissions:
Again, the UI can be a bit hinky here when it comes to
IIS AppPool\<ident>
accounts and there's no built-in command line tool to configure Launch and Activation Permissions and Access Permissions. You could try setting these values in the registry but unless you know how to create a serialised ACL forLaunchPermission
andAccessPermission
it's going to be hard going.All is not lost though. There's a tool called
dcomperm.exe
which is included as a sample project in the Microsoft Windows SDK for Windows 7 and .NET Framework 4.This chap has written about it here:
You can try and build it yourself or download a prebuilt binary from his Microsoft Live SkyDrive.
To use
dcomperm.exe
it you'll need to know theAppID
of your DCOM app. You can do this by locating it in the General tab of your application's DCOM configuration properties. For example, I've picked the IIS CertObj library as a working example.:You can place your cursor in the Application ID field and select the whole field, make sure you include the curly braces as well.
Next open a command line prompt (running as Administrator). To grant your application pool identity Local Launch and Local Activation permissions you would execute:
Where:
-al
= Modify or list the launch and activation permission{62B8CCBE-5A45-4372-8C4A-6A87DD3EDD60}
= the App ID we copied from the DCOMCNFG UIset "IIS AppPool\DefaultAppPool"
= set this identitypermit
= set the permit flagll
= Local Launchla
= Local ActivationThis looks like the following in the UI: