Reputation: 13006
What access permissions are required to start/stop IIS app pools using DirectoryEntry with C#?
Given the following method, I am trying to start/stop an IIS 7 app pool. I can successfully accomplish this on my local system, but when I put this on our Windows 2008 server, I get an error only when trying to stop the service - starting works fine:
[NoCache]
public ActionResult EnableAppPool(Models.ActionRequest actionRequest)
{
try
{
if (ModelState.IsValid && actionRequest.ActionRequestPassword == ConfigurationManager.AppSettings["NewsfeedAdminPassword"])
{
bool enableNewsfeed = false;
enableNewsfeed = Convert.ToBoolean(actionRequest.EnableNewsfeedAppPool);
string sPath = "IIS://" + ConfigurationManager.AppSettings["MachineName"] + "/W3SVC/AppPools/" + ConfigurationManager.AppSettings["AppPoolName"];
Console.WriteLine(sPath);
DirectoryEntry w3svc = new DirectoryEntry(sPath);
if (enableNewsfeed)
{
w3svc.Invoke("Start");
}
else
{
w3svc.Invoke("Stop");
}
}
}
catch (Exception ex)
{
throw ex;
}
return null;
}
The error is as follows:
Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via , the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
I realize this is a permissions issue, but I'm not sure about what I have to grant access to, and for what user.
FYI: I already enabled IIS 6 Metabase and WMI Compatibility
Upvotes: 4
Views: 6301
Answers (1)
Reputation: 6472
The identity under which you code is running does not have access to start and stop app pools. Here is a quote from an article
"In order to communicate with Active Directory one must take into account network security, business rules, and technological constraints. If you're using Active Directory code from an ASP.NET page you must ensure that the code has the appropriate level of permission to access and interact with the directory. For development purposes or proof of concept you can enable impersonation at the ASP.NET level (in web.config) and the IIS level and if the IIS server and the directory domain controller reside on the same machine this will work. However, if these entities are not co-located on the same server (as they never are in production) you can wrap the code around an impersonation class (such as the Zeta Impersonator which will execute the Directory calls under the token of the impersonated user."
http://www.codeproject.com/Articles/18102/Howto-Almost-Everything-In-Active-Directory-via-C#3
And this article clearly expains how to run bits of code in you application under diff (posibliy higher level acess user) context.
http://support.microsoft.com/kb/306158
Upvotes: 1
Related Questions
- What are the minimal permissions for the app pool account in ASP.NET Core 5.0 applications?
- IIS7 Permissions Overview - ApplicationPoolIdentity
- IIS AppPoolIdentity and file system write access permissions
- Set folder permission for a IIS application pool with C# Console application
- User rights needed for IIS 7.5 application pool user (domain user, not the AppPoolIdentity)
- Run app pool under domain user
- DirectoryEntry IIS access permission
- Set FileSystemAccessRule for "IIS AppPool\Name" permissions fails with "Some or all identity references could not be translated"
- Running command from ASP.NET App Pool Identity
- IIS: DirectoryEntry Exception: "access denied"?