Reputation: 143
I have a local Intranet application that does some file validation using Directory.Exists and File.Exists. Unfortunately, the checks fail due to the fact that the application is running as "ApplicationPoolIdentity" and that account doesn't have access to the UNC paths the Directory.Exists and File.Exists are checking.
Should I give that ApplicationPoolIdentity account permissions to read those directories? (All of the directories appear under a top level folder of a single server.) If so, how?
Or, should I run the Application Pool under a domain account and grant that account permissions? (If I do need to create a new account, what permissions should I give it?)
Thanks for any input!
Upvotes: 0
Views: 742
Reputation: 4416
You need to set read ACLs for the following identity: IIS AppPool\. You can do it either from the folder properties dialog (if your computer is on the domain, make sure Locations is set to the local machine in the "Select Users or Groups" dialog) or using icacls from the command line.
Upvotes: 0
Reputation: 53709
As a rule I normally create a custom account, but if you want to grant additional rights to shares etc. I would say that it is the best option.
Create a new AppPool with a custom identity with the relevant access to the shares. Then have the application run under this new AppPool. That way you can have other applications that do not require access to the shares in AppPools that do not have this access.
If you are using Windows 7 or Window 2008 R2 you might want to look at Virtual Accounts.
Here is a good article on the topic of Application Pool Identities
Upvotes: 1