问题
I have a web application that is running on IIS 7.5 and is having some permission issues. The site will read/serve files, but will not write to any file location under any circumstances. Ideally, I'd be writing to a non-local share, but I'm currently just trying to get the application to write to a local share/drive. I've tried setting the identity to a domain service account set up specifically for this application, the built in Network Service account, and the ApplicationPoolIdentity with no luck. It may be worth mentioning that this server is a virtualized instance running on shared hardware with other servers.
In order to try and grasp the issue, I have granted full control to:
(MACHINE NAME)
(MACHINE NAME)\Users
(MACHINE NAME)\IUSR
(MACHINE NAME)\IIS_IUSRS
(DOMAIN NAME)\(MACHINE NAME)
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
(APPLICATION POOL IDENTITY)
(DOMAIN NAME)\(SERVICE ACCOUNT NAME)
I have manually verified that all these accounts/groups have full control on the security tab of the file/folder.
The app pool is running under the .NET Framework v4.0 on the Integrated Managed Pipeline. I've tried it with Load User Profile set to both true and false with no luck. The site itself is set to application pass-through authentication.
The error thrown in the browser is:
Access to the path 'D:\Dataload\LOG.txt' is denied.
[UnauthorizedAccessException: Access to the path 'D:\Dataload\LOG.txt' is denied.]
I've tried writing to that file with it already created as well as not created. I've also tried calling the file by its server path instead of the drive name.
Viewing the event in Microsoft's Process Monitor:
Operation: CreateFile
Result: ACCESS DENIED
Desired Access: Generic Write, Read Attributes
Disposition: OpenIF
Options:Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Open No Recall
Attributes:n/a
ShareMode: Read
User:NT AUTHORITY\NETWORK SERVICE (this will correctly change depending on the identity I set)
Is there something I am missing with groups or accounts, or possibly an IIS setting I could be overlooking that prevents write access?
回答1:
I figured out the answer to this a while back and forgot about my post here. In this particular instance, the problem was with the Internet Explorer Enhanced Security Configuration settings on the server. In order to see your settings in Windows Server 2008 R2, go to the Server Manager and have your view on the main page. Once there, go down to the Security Settings section. Here you will see an item called IE Enhanced Security Configuration (ESC), and next to it it's current settings for both administrators and users. In my case, the default settings on this fresh server were set to On for both administrators and users. Setting these to Off allowed the network service account to write to all locations it had been granted proper permissions to, thus solving the problem.
来源:https://stackoverflow.com/questions/20377968/iis-7-5-app-pool-write-permissions-denied