How do I force to not use impersonation in IIS 7+?

Question

I am trying to force my web application to run completely as the AppPool User (Domain\UserForApp) and I correctly set the setting in IIS and everything runs fine and "System.Security.Principal.WindowsIdentity.GetCurrent().Name" returns the correct "Domain\UserForApp".

However, when I tried to restrict the permissions of my web app directory to the bare bones needed:

SYSTEM (full Access)
Me (Full Access)
Admininstrators (Full Access)
UserForApp (Read)

I could no longer load any static files. So I downloaded Process Monitor to find out why and whenever it tries to access a static file, I get the following error:

ACCESS DENIED:
Desired Access:     Generic Read
Disposition:        Open
Options:            Sequential Access, No Buffering
Attributes:         RE
ShareMode:          Read, Write, Delete
AllocationSize:     n/a
Impersonating:      NT AUTHORITY\IUSR

And as you see from the above IUSR doesn't have permissions so that is correct, but I just don't understand why its trying to impersonate anyway. In my web.config file I have:

just to ensure that no one turns on impersonation, but it had no effect.

It doesn't work in both Classic and Pipelined mode, but the error is slightly different. In classic when viewing the images it just shows a HTTP Error 401.3 - Unauthorized page, and when using Pipelined it redirects to the login site.

Kev · Accepted Answer

If you wan't the site to run as the app pool's identity then you need:

You can set this in your applicationHost.config file (probably the best place) by doing:

APPCMD.exe set config "my_site" -section:system.webServer/security/authentication/anonymousAuthentication /username:"" /commit:apphost

How do I force to not use impersonation in IIS 7+?

Answers (1)

Related Questions