The days when I played with ASP.NET web sites all the time have, perhaps unfortunately, gone. Now my day job has me delving into grown-up stuff such as the wonderful worlds of cloud service infrastructure, design patterns, systems and software architectural, Big Data, and even open source projects named after animals.
So a simple task this week, as I applied my almost forgotten skills to get my custom kludged-together server status website to delete old log files, was thwarted by permission errors. And, rather strangely, it coincided with a week when I watched John Cooper Clark reciting some of his famous haiku on the BBC TV program “Have I Got New For You“. Including:
in seventeen syllables
is very diffic
(See the original version on YouTube)
So, here we go:
So all I get is denied
When I delete files
Not NETWORK SERVICE
It was IUSR-machine
but now something else
Yep, I tried setting the target folder permissions to allow the ASPNET account to delete files, but there is no ASPNET account in Windows Server 2008 R2. Instead, I tried setting the permissions for the NETWORK SERVICE group, but that doesn’t work either. And there is no IUSR_[machine-name] account anymore, so that was another dead end.
So I went off and looked for the name of the account that the Default App Pool runs under, and found one I’d never heard of before: “ApplicationPoolIdentity”. Which isn’t actually an account. But various blogs say there is an IIS AppPool\[app-pool-name] account that you can configure. Err, no there isn’t on my server. Another blog post suggested simply changing the Default App Pool to run under the NETWORK SERVICE account, but I didn’t fancy that in case I broke something else.
Yet another blog said that ApplicationPoolIdentity is a member of the Users group, and you should just set permission on that account group. Which didn’t work either. Finally I found this page, which explains that all you need to do is set the permissions on the new IIS_IUSRS account. Which worked.
In the end it had taken two minutes to add a “Delete” button and OnClick handler to the page, but the best part of an hour finding the right information, learning about how IIS works, and fiddling with permissions. But I guess that sometimes you do have to teach old dogs new tricks…