Security – Unable to set NTFS permissions for ApplicationPoolIdentity on Windows 2008 SP2

authenticationiis-7Securitywindows-server-2008

On Windows 2008 R2 I am able to set NTFS permissions for an application pool's synthesised ApplicationPoolIdentity account thus:

ICACLS d:\websites\site1\www /grant "IIS AppPool\site1":(CI)(OI)(M)

The website's application pool is named site1 and is configured to run as ApplicationPoolIdentity. The site's authentication is also configured to authenticate as ApplicationPoolIdentity. I've done this a thousand times on Windows 2008 Standard Edition R2 with never a hitch.

However if I try to do the same in Windows 2008 Standard Edition SP2 I get the error:

IIS AppPool\site1: No mapping between account names and security IDs was done.
Successfully processed 0 files; Failed processing 1 files

I also notice that this fails if I try to set permissions for the application pool identity via the security GUI as well. I've seen this before and a reboot has cleared this issue but I'd like to know why this happens periodically. Googling around suggests other folks have hit this problem but there's never a satisfactory explanation.

Why would this be?

Best Answer

Hey Kevin. The windows service used for the virtual mapping is "Application Host Helper Service" (AppHostSvc). Double check that it's running correctly, and since the problem resolves itself after a reboot, next time restart just that service and see if it temporarily resolves the issue.

It sounds like you know, but in pre-R2 you can add the user from the command line only, but then you can 'manage' it from the security GUI (as long as everything is working as it should). In R2 you can also add it in the GUI by typing in the full name (i.e. IIS AppPool\site1).

Related Solutions

How to Assign Permissions to ApplicationPoolIdentity Account

Update: The original question was for Windows Server 2008, but the solution is easier for Windows Server 2008 R2 and Windows Server 2012 (and Windows 7 and 8). You can add the user through the NTFS UI by typing it in directly. The name is in the format of IIS APPPOOL\{app pool name}. For example: IIS APPPOOL\DefaultAppPool.

IIS APPPOOL\{app pool name}

Note: Per comments below, there are two things to be aware of:

Enter the string directly into the "Select User or Group" and not in the search field.
In a domain environment you need to set the Location to your local computer first.

Reference to Microsoft Docs article: Application Pool Identities > Securing Resources

Original response: (for Windows Server 2008) This is a great feature, but as you mentioned it's not fully implemented yet. You can add the app pool identity from the command prompt with something like icacls, then you can manage it from the GUI. For example, run something like this from the command prompt:

icacls c:\inetpub\wwwroot /grant "IIS APPPOOL\DefaultAppPool":(OI)(CI)(RX)

Then, in Windows Explorer, go to the wwwroot folder and edit the security permissions. You will see what looks like a group (the group icon) called DefaultAppPool. You can now edit the permissions.

However, you don't need to use this at all. It's a bonus that you can use if you want. You can use the old way of creating a custom user per app pool and assigning the custom user to disk. That has full UI support.

This SID injection method is nice because it allows you to use a single user but fully isolate each site from each other without having to create unique users for each app pool. Pretty impressive, and it will be even better with UI support.

Note: If you are unable to find the application pool user, check to see if the Windows service called Application Host Helper Service is running. It's the service that maps application pool users to Windows accounts.

ApplicationPoolIdentity user cannot modify files in shared folder in Windows Server 2008

If you are running your application pool using a specified identity, granting permission to the machine account will not work. You should run your AppPool with a domain account, and grant that account the appropriate permissions to the shared folder. Using a local account will also not work if the shared folder is on a remote computer.

If you do not have a domain, you could run the AppPool with LocalSystem, and that should work with granting the machine account permission to the shared folder. But that would probably be suboptimal from a security perspective.

Related Topic