Solving an IIS security issue…

 

I was installing some stuff for a client under ASP.NET 2.0 and IIS in Windows Server 2003. The installation was going fine though it is much more complicated than it needs to be. There is such a thing as an installer and a wizard and WordPress can do a 5 minute install, come on people. Anyway, heres the security situation…

  • There is a AD user called IUSR_foo that is in the IIS_WPG group… so it should be allowed to run ASP.NET 2.0.
  • That user is the identity for an IIS application pool named foo, thus allowing me to isolate that website
  • The actual www.foo.com site lives in the foo application pool
  • The security settings for www.foo.com are such that anonymous users run under the IUSR_foo user account

Sounds fine right? I thought so too… but no…

The current identity (IUSR_froo) does not have write access to ‘C:WINDOWSMicrosoft.NETFrameworkv2.0.50727Temporary ASP.NET Files’. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Now that sucks, Hard. So I look around, trying to figure out the “right” way to solve this. I could just grant IIS_WPG access to that temp directory, but who knows what is is broken. Fortunately, I came across this post on Micah’s Blog that pointed me right. The answer? Go to the directory that the .NET framework in question uses and then…

aspnet_regiis -ga “IUSR_foo

That seemed to do it. So hopefully it’s right.