IIS Permissions for ASP.NET or NETWORK SERVICE account?

[dcross]

I have an installation project that creates 3 virtual directories. 2 are ASP.NET applications and one is a data directory. The system requires read/write access to the data directory, and I cannot seem to get the right settings to ensure that this works across a variety of installation targets (OS' and versions of IIS).

It seems that windows XP includes IIS 5.x, and the system runs under the ASP.NET user account (by default). Win2K3 installs IIS 6, and runs under NETWORK SERVICE (In fact I create an AppPool and specify NetworkService in the Appliction Pool Security section), but the data virtual directory (not being an application) is not assigned to an app pool.

I have implemented the solution suggested in this post:
http://www.advancedinstaller.com/forums ... is+asp.net

But it does not seem to set the correct permissions on Windows 2003 Server. I am now using the condition "VersionNT>502" to specify NETWORK SERVICE for any OS other than XP or less. I think that this works, but wonder if it might be better to:
a) Actually determine the user account under which the web server is running or
b) Test the version of IIS rather than the version of the OS in the condition to determine ASP.NET or NETWORK SERVICE user

[dcross]

Correction, setting the condition "VersionNT>502" still does not identify my Windows 2003 (64 bit) OS and set it to NETWORK SERVICE. Can anyone confirm which user should be granted write permissions on a virtual directory for each OS (based on their default configurations)?

I would still really like to have an option that identifies the user account under which the web site process will execute. Any ideas on this?

[Cosmin]

Hi,

Usually the target user account for a virtual directory is known before the package is configured. However, if you want to configure permission for the default IIS user account, you can use the IUSR_computername account. In your project you can set the permissions for this account. Note that specific options need to be set in order to set a permission.

Regards,
Cosmin

[dcross]

Thanks Cosmin, I guess I should have clarified that I am not allowing anonymous web access to the virtual directory, so it's not the IUSR_<computername> account that requires permissions. It's the web app running in one of the other virtual directories that requires write permissions to this folder. So I know that it will be either ASP.NET or NETWORK SERVICE depending on the version of IIS - am I right?

[Cosmin]

Hi,

Yes, different IIS versions use different user accounts. For what you need a good solution is to set a custom installer property based on the target system, like you already tried. This can be done by using a "Property set with Formatted" custom action. The custom property can then be used for the permissions of the file.

If you are encountering problems with this approach, please send us the .AIP (project) file you are using to support at advancedinstaller dot com so we can investigate it.

Regards,
Cosmin

[dcross]

Thanks Cosmin,
I'm not having a problem with the "Property set with Formatted" custom action, except that the conditions do not offer a way to detect the version of IIS, only the version of the OS. No problem - I can infer the IIS version from the OS.

In a previous reply you suggested:

if you want to configure permission for the default IIS user account, you can use the IUSR_computername account. In your project you can set the permissions for this account.

I have tried doing this also, using a custom action I set the name of the IUSR_computername account. It blows up on windows Server 2008 because, guess what, the default anonymous user is "IUSR" no 'computername' suffix! I guess the problem I have is that I seem to have to guess which user needs permissions based on the flavour of the OS - AI does not tell me a) what version of IIS I'm installing to or b) what user account is specified as the anonymous user (unless I set that myself in the installer, which most secure environments to which I deploy will not permit).

[Cosmin]

Hi,

I have tried doing this also, using a custom action I set the name of the IUSR_computername account. It blows up on windows Server 2008 because, guess what, the default anonymous user is "IUSR" no 'computername' suffix!

A solution is to use a custom installer property for the user to which you want to set permissions. Through "Property set with Formatted" custom actions you can set this property to "IUSR_computername" and "IUSR". These custom actions can be conditioned with the VersionNT property to set "IUSR" as the username on Windows Server 2008 or newer and "IUSR_computername" on older Windows versions.

I seem to have to guess which user needs permissions based on the flavour of the OS - AI does not tell me a) what version of IIS I'm installing to or b) what user account is specified as the anonymous user

No other users requested this, so we didn't implement a feature in Advanced Installer. Usually the target user account for a virtual directory is known before the package is configured. However, the IIS version is determined by the Windows version. Also, the default user account can be determined based on the IIS (Windows) version. So what you need can be done with the current Advanced Installer features.

Regards,
Cosmin