Permission set for newly created IIS AppPool Identity

Question

I need to set permissions on logs folder for created IIS Application Pool. The code to set permissions:

<CreateFolder Directory="SiteLogsFolder">
    <util:PermissionEx User="Everyone" Read="yes" GenericRead="yes"/>
    <util:PermissionEx User="[IisSiteUser]" GenericRead="yes" GenericWrite="yes" GenericExecute="yes" Delete="yes" DeleteChild="yes"/>
</CreateFolder>

<CustomAction Id="SetIis6SiteUser" Property="IisSiteUser" Value="NT AUTHORITY\NetworkService"/>
<CustomAction Id="SetIis7SiteUser" Property="IisSiteUser" Value="IIS AppPool\[SITE_APP_POOL]"/>

<InstallExecuteSequence>
  <Custom Action="SetIis7SiteUser" Before="InstallInitialize">IISMAJORVERSION>="#7"</Custom>
  <Custom Action="SetIis6SiteUser" Before="InstallInitialize">IISMAJORVERSION="#6"</Custom>
</InstallExecuteSequence>

This works fine for IIS 6 on Windows Server 2003, but fails for IIS 7.5 on Windows Server 2008. I get the error:

ExecSecureObjects:  Error 0x80070534: failed to get sid for account: IIS AppPool\MyAppPool

Investigation details:

• I tried also "IIS APPPOOL" domain - same result.
• Also tried setting both Domain and User properties of PermissionEx element instead of merging them in User attribute. Again same error.
• Using active directory accounts in PermissionEx works fine. Also active directory account works fine with IIS site pool when set.
• If I try to set permissions for another AppPool (not the creating by my installer one, for example IIS AppPool\DefaultAppPool), again all works fine. The problem occurs only when I set permissions for AppPool, that is created by my installer.
• I checked sequencing of the ConfigureIIs, SchedSecureObjects and ExecSecureObjects and tried to force ConfigureIIs execute before the two others (it was recommended in this thread). Unfortunately that didn't help as well.

Answer 1

I had this problem when I was building my WIX project as x86. I solved it by scheduling SchedSecureObjects and ExecSecureObjects before ConfigureIIs.

<Custom Action="SchedSecureObjects" After="ConfigureIIs" />
<Custom Action="ExecSecureObjects" After="ConfigureIIs" />

The problem came up again when I started building the project as x64. This time I had to schedule the 64 bit actions before ConfigureIIs as well.

<Custom Action="SchedSecureObjects_x64" After="ConfigureIIs" />
<Custom Action="ExecSecureObjects_64" After="ConfigureIIs" />
<Custom Action="SchedSecureObjects" After="ConfigureIIs" />
<Custom Action="ExecSecureObjects" After="ConfigureIIs" />

Answer 2

Testing on Server 2012, I confirmed that there can be a delay before the account becomes available. Using the following script, I repro'd a failure to find in 3 of about 30 attempts. It seems that we will need a delay between creation of the app pool and looking up the SID. In my test, it never took more than 1s.

param ($id)
if (!$id) {write-host "specify an id"; return}
c:\windows\system32\inetsrv\appcmd add apppool /name:$id /managedRuntimeVersion:"v4.0" /managedPipelineMode:"Integrated"
$objUser = New-Object System.Security.Principal.NTAccount("IIS APPPOOL\$id")
$sid=""
while (!$sid)
{
  $sid = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
  if (!$sid) {write-host "$id not found"} else {$sid}
  sleep 1
}