IIS 7 – Who is running the show?

30. October 2009 22:00 by rtur.net in asp.net // Tags: blogengine, iis // Comments (8)

When you run ASP.NET site in Visual Studio things generally tend to work. It usually when you try to deploy it to live server when you get into trouble. This is why I wasn’t surprised when after setting up little continuous integration server my application that ran perfectly well in VS broke apart on local IIS 7. I went to IIS console and double-checked application settings and write permissions. Along with Network Service I gave access to ASPNET account, because IIS keeps changing identity and I felt lazy to figure out what account it uses in this particular case.

Did not work. Still was getting annoying “access denied” errors. It puzzled me a little bit and I started to dig deeper. Turned out in IIS 7.x account that ASP.NET uses called… ApplicationPoolIdentity!

Ok, that’s new. To make sure I’m not delusional I put together a page that outputs ASP.NET process name and checked if this identity has write permission to folders that my application needed to function properly. Sure enough, it confirmed my suspensions – App_Data directory I needed for write access was not accessible for ApplicationPoolIdentity. For App_Code IIS did assigned write permissions to this stranger.

The fix is obvious once you know who runs the show under IIS’s mask. I could’ve give this new account all needed rights, but instead just changed identity for classic application pool to network service.

Ran checker page again and this time got familiar account name and all the green bars. Sweet!

End of story, but it got me thinking about some kind of install/setup troubleshooter for ASP.NET application. Basically, it can be a form where you specify some common conditions, then it runs and checks those conditions and outputs result on the screen. It could be really helpful for beginners in identifying problems that otherwise can be frustrating fore novice would-be ASP.NET converts. I ran into questions on setup and install issues in BlogEngine’s forum all the time. If not generic, it can be easily extended to troubleshoot most common issues with installing BlogEngine on different server configurations regardless of whether you are using an enterprise level MPLS VPN or simple web IP web host.

If you having issues with weird behavior on you BE live server, download and unzip “check” folder to your local machine and then move it to that server. Go to your site and navigate to “check” folder, it will show you file access permissions relevant to your BE installation. For another ASP.NET application you would have to modify code to check your writable directory(s), but it is very easy, you only need to replace directories in Page_Load with those your app uses.

protected void Page_Load(object sender, EventArgs e)
{
    Msg(string.Format("ASP.NET account Identity is: {0}", 
        WindowsIdentity.GetCurrent().Name), true);

    Process("app_data");

    Process("app_data/datastore");

    Process("app_code/extensions");
}

check.zip (10.55 kb)

How to migrate to IIS 7 on GoDaddyThis post more accurately should’ve been called "how NOT to migrate to IIS 7". To migrate from...Picasa SlideShow for BlogEngineI'm a long time Picasa fan. I used it before it was bought by Google and even before I new what ...BlogEngine Widgets TutorialWidget is a special control you can add to the sidebar. What makes it special is that it is a member...

Comments (8) -

Russell
11/6/2009 2:23:11 AM #

I think we should add that check folder to the default BlogEngine.NET deployment. Maybe globally catch access denied errors and redirect to it?

I tend to have this issue every time I deploy BE.NET, and on Linux it gets even more complicated!

rtur.net
11/6/2009 10:21:50 AM #

May be, add it to setup folder or move it to admin as general troubleshooting section. We can add stuff to it as discovering issues, even show some logging-tracing there, like app started, extensions loaded etc.

Radek Dolezel
11/14/2009 3:29:25 PM #

ApplicationPoolIdentity has suddenly appeared in Service Pack 2 for Windows Server 2008. It is very strange because Microsoft announced this feature only for W7 and W2008 R2 (ie IIS 7.5). What's worse - there is no way how to add ACL permissions for new identity called "IIS APPPOOL\your_website_name" in GUI, you have to use ICACLS.EXE.
ApplicationPoolIdentity is predefined when new application pool is created in W2008 Server SP2 even when Application Pool defaults contain Network service as a default identity. I believe it is a bug. Everything described on http://dolezel.net/post/2009/11/11/Zmena-v-IIS-70-po-aplikaci-W2008-SP2.aspx, in Czech but you can still look at the images and follow hyperlinks to english websites.

Vincent Girard
12/3/2009 8:59:53 AM #

For myself I was running on the same write permission problem stuff but the user that needed the permissions was IIS_IUSRS. I'm on Win7 + IIS7.5. When I look under the hood I do have ApplicationPoolIdentity just like you do.

I also think that youre "check" script could be usefull in a lot of application to be sure that everything is ok.

MGD King
12/9/2009 9:04:43 AM #

Great tool! This helped me fix an issue after I upgraded to 1.5.1.35 on a IIS 6 box. Somewhere along the lines permissions got out of whack and this tool helped me identify that I didn't have permissions for Network Service on some of the folders. Now all is right with my blog. :)

Jack K.
12/16/2009 9:38:14 PM #

Thanks, saved me lot of time.

IIS7 Setup
2/24/2010 7:32:29 AM #

Great stuff! Never would have looked at the app pool's identity. You learn something new every day ;)

fia
3/22/2010 3:17:17 PM #

nice post... i like this informative information of .... I meet a problem like this with my .net script and try to search for solving this...thanks for sharing