tags:

views:

491

answers:

1
Q: 

How does IIS7 authorization work when setting up an application outside of wwwroot

I tried to add a new application in II7 and point it to another directory on my hard drive outside of wwwroot. I have it under the default app pool and connecting as an application user. The application contains simple static html pages not asp.net and this is my development server and will only be used for just that.

When I try to access the application it throws an error. I did a bit of research on this and the advice I got was to add NETWORK SERVICE to the physical path of the application. This did not work. I then did some more research and instead of using NETWORK SERVICE I added ISUR. This worked.

Out of this I drew two vague conclusions:

  • NETWORK SERVICE is used for asp.net applications
  • IUSR is used for static html pages

Can someone please confirm this.

  • Is it then safe to say that if my asp.net applications contains html files I would need to add both accounts to my physical path to make it run correctly?
  • It also sounds to me that since this a development machine it is probably easier to just connect as and use the account I am logged in with on Windows. Am I right?
  • Finally, if I would have addded my test application in a folder under wwwroot instead, would everything have worked since wwwroot and its folders are already setup with the correct privileges for static html and asp.net?

Thank you for all your help.

P.S. any blogs on how to get up to speed with IIS7 would be highly appreciated.

A: 

It is a little bit more complicated than that.

The calls to static HTML pages go through IIS

  • If IIS authentication is anonymous it will be IUSR that accesses the file
  • If IIS authentication is windows it will be the windows identity of the request that is used

The calls to ASP.net pages go first through IIS then to the ASP.net process

  • The default identity of the application pool is NETWORK USER, that is why the call is made by NETWORK user in your case.
  • The identity of the app pool could be configured to be a different user
  • The web config could be configured to impersonate the calling user

There are a lot of possible combinations this, many more than I have covered here. But basically you must look at:

  • The identity of the user accessing the site
  • The configuration of IIS
  • The configuration of the application pool
  • The configuration of web.config
Shiraz Bhaiji  2009-08-13 15:57:30
So my conclusion is correct. Since the authentication is anonymous in my case I have to add the IUSR to the physical path to access the static html. If I had an aspx page I have to add NETWORK USER for it to work. If I have both I have to have both accounts present on the physical path?
 2009-08-13 16:29:02
Yes, for your configuration, if you have both aspx and html files in the same physical path. But for a different configuration it may change.
Shiraz Bhaiji  2009-08-13 16:40:26

related questions

IE6 security login (debugging via VirtualPC)
Asp.net Reinstalling a DLL into the GAC
Failed to load resources from resource file.
What does an IISReset do?
How do I secure a folder used to let users upload files?
VBScript/IIS - How do I automatically set ASP.NET version for a particular website
IIS 6/COM+ hangs
Web server farms with IIS ? Basic Infos
.NET 3.5 Service Pack 1 causes 404 pages on ASP.NET Web App
What Url rewriter do you use for ASP.Net?
Publishing to IIS - Best Practices
ASP.NET Proxy Application
PHP on IIS
How do I stop IIS7 dropping my cookies?
HTTPS in IIS 5.1
Best tool for performance testing ASP.NET
Alternative Hostname for an IIS web site for internal access only
SQL Server 2008 FileStream on a Web Server
Solutions for working with multiple branches in ASP.Net
Dual vs. Quadcore on a Webserver
PHP Error - Uploading a file
Visual Studio 2008 debugger already attached work-around
Linux shell equivalent on IIS
Bandwith throttling in IIS 6 by IP Address
Checklist for IIS 6/ASP.NET Windows Authentication?