.NET Power Tip 12: Setting IIS Application Pools on Windows Access Control Lists (ACL)

I stumble upon this one recently and I always need to google it to get the syntax right. So this blog post is primarily a reminder for myself. But hey, its a great tip and it could be useful to many people.

Assume that you have a web application hosted in Internet Information Services (IIS) and you have a Windows resource such as a file or a directory. How can you make sure that the web application can access the file?

 

The first idea is obvious. Add the user of the application pool identity to the access control list (ACL) of the file.

However, there is a WAY BETTER approach that many people are not aware of. You can add the application pool itself to the ACL, not the user identity!

 

Lets assume that we have an application pool called “CalculatorApplicationPool” that runs under a service user called “mme”:

image

 

The calculator application needs access to a file called “Calculator.dat”. We could of course just add the user “trivadis\mme” to the access control list but the more elegant solution is to add the application pool itself. Go to the Security Settings of the file and hit the “Add..” button:

image

 

In the “select users or groups” dialog, enter “iis apppool\” followed by the application pool name. Make sure that the location is correct and points to the domain or machine where the user is defined:

image

 

Clicking “Check Names” confirms that the application pool has been found:

image

 

Now we can add or remove permissions as if it was a regular user:

image

 

This approach has a huge advantage: We only have to manage the credentials once while configuring the application pool. Management becomes much easier since we do not need to change the ACL settings if we want to modify the application pool user.

 

Note: You can as well add the Default Application Pool Identity to the ACL by using “iis apppool\defaultapppool”:

image

image