Re: machine.config - add assembly="*" - Required permissions cannot be acquired - IIS 6.0 - c#

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Steven Cheng[MSFT] (v-schang_at_online.microsoft.com)
Date: 03/14/05 

Date: Mon, 14 Mar 2005 06:27:18 GMT

Thanks for your followup Kal,

As you said that the when switching the process Identity to LOCAL SYSTEM,
it works( Do you mean that the applicaiton will run without any permission
problem with both the two applications?), I think this is like a typical
permission issue. LOCAL SYSTEM is the most powerful identity for running
ASP.NET.

What makes me a bit confused is that why did you choose the " IWAM_SANDBOX"
or "LocalService" account to run the ASP.NET? On w2k3 server with IIS6(if
not using the IIS5 MODEL), the default process Identity will be NT
AUTHORITY\NetworkService (also the comupter's network account), also we can
switch to LOCALSYSTEM if want unrestricted permission on local machine. But
the IWAM_SANDBOX or LocalService account are not the recommended process
Identity account which may not have the sufficient permissions for running
ASP.NET.

In fact, on 2k3server with IIS6, you can find a local Group named "IIS_WPG"
which is the group for the ASP.NET process Account. So I suggest you create
a new account (LOCAL or domain) and add this account into the IIS_WPG
group(Networkservice is by default in this group). This will ensure the
account will have the sufficient permissions to run ASP.NET normally.
Then, you can switch your asp.net application's Applicaiton Pool to use
this account to see whether the permission error still occurs.

If still with permission error, I suggest you use the FILE monitor tool to
have a check to see what's the exact file that cause this error so that we
can try granting permission to our process identity.

BTW, since WSS is by default installed on SBS , is your website be extended
by WSS? Runing normal asp.net application in a site which has been extended
by WSS will also cause permission problems.

If any questions on this, please feel free to post here. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Relevant Pages

  • Re: Question about "Configuration Error" Message
    ... Microsoft Online Support ... | what's the default permission shoule "default machine\aspnet" ... | account have for that foler, ... | |> process running under local system account. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Question about "Configuration Error" Message
    ... Microsoft Online Support ... | what's the default permission shoule "default machine\aspnet" ... | account have for that foler, ... | |> process running under local system account. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Problem deploying forms authorization
    ... SERFVICE"(which as restricted permission), so it is likely that the ... protected resource under this account. ... Also, to make sure it is the process identity that cause the error, I ... ** change your ASP.NET applicaiton's IIS application pool identity from ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: machine.config - add assembly="*" - Required permissions cannot be acquired - IIS 6.0
    ... Regarding WSS - I have not yet worked with that and believe no website is ... > As you said that the when switching the process Identity to LOCAL SYSTEM, ... > it works(Do you mean that the applicaiton will run without any permission ... > the IWAM_SANDBOX or LocalService account are not the recommended process ...
    (microsoft.public.inetserver.iis)
  • Re: Adding a computer account to files security list
    ... > from granting Change permission on a folder to a computer account? ... Or does it mean any local account on that machine has ... Computer accounts represents one of the internal system accounts. ... Most of local system services run under this account. ...
    (microsoft.public.win2000.active_directory)