This section describes the minimum permissions that are required for work of the application and file access.
Below are the procedures for correct work of the application:
First, you need to know which identity the application works under. By default, it is "NETWORK SERVICE" in Windows 2003 IIS 6 and windows 2008 IIS 7 or "IIS APPPOOL\DefaultAppPool" (Replace DefaultAppPool with another pool name if application works not under default pool) in Windows 2008 IIS 7.5 (64 bit).
You can check it in the IIS console:
Open the IIS console: Control panel->Administrative tools-> Internet Information Services->Expand "Default web site"
For IIS 7 and 7.5: Click the Application pools node. Check the identity the "DefaultAppPool" pool is running with. By default it is "NETWORK SERVICE" in IIS 7 or "IIS APPPOOL\DefaultAppPool" (It is real name for virtual ApplicationPoolIdentity) in IIS 7.5 (64 bit). If you running application not under default pool then user is "IIS APPPOOL\YourCustomAppPoolName" Screenshot
For IIS 6: Expand "Application pools" node and right-click the "DefaultAppPool" option. Click "Properties" in the context menu and find "Application pool identity" under "Identity" tab. By default it is "NETWORK SERVICE" Screenshot
If you still not sure which identity the application works under then run http://localhost/HTCOMNET/Diagnostics.aspx and look the "Application identity" value or at the Windows Task Manager see what user executes "w3w.exe" process.
After you have learnt about the application identity ("NETWORK SERVICE" or "IIS APPPOOL\DefaultAppPool"), you can set necessary NTFS permissions.
Note for Windows 2008 users! User "IIS APPPOOL\DefaultAppPool" exists in GUI ACL only for Windows 2008 R2 and newer. For first Windows 2008 OS it will be more easy to change account- At the "DefaultAppPool" pool settings change account to the "NETWORK SERVICE" and then set permissions for this user.
How to set permissions:
Check NTFS permissions for HTCOMNET folder and top level web.config files:
You should set NTFS "Read and execute", "Read", "List folders content" permissions for the application identity to HTCOMNET folder.
Set the same permissions for the web.config files in all top level folders (like c:\Inetpub\wwwroot\web.config) as well! Screenshot
Check NTFS permissions for "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files" and "%WINDIR%\Temp" folders:
You should also set the “NTFS "Modify" permissions for the application identity to "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files" and "%WINDIR%\Temp" folders.
Note! Windows authentication version starts under default identity ("%LOCALMACHINENAME%\NETWORK SERVICE" or "%LOCALMACHINENAME%\ApplicationPoolIdentity") but it works under logon user identity therefor you should grant permissions for your Active Directory users as well.
Make #1 and #2 steps for your Active Directory users (Domain Users group) i.e. grant permissions for domain users to the HTCOMNET folder, web.config files in all top level folders, "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files" and "%WINDIR%\Temp" folders.
Check NTFS permissions for admin user to the Data folder:
You should also set NTFS "Modify" permissions for domain admin user to the Data folder if you will use online Admin panel for users and folders setup. If you want to logon to the admin panel as not a domain admin, you need to set permissions for such user. By default the Data folder is in the HTCOMNET root but it is strongly recommended to move it outside the web server root or disable file download (See dataFolderPath key in Web.config file)!
Permissions for the content of the files and folders:
If you have an existing folder structure for domain users with set permissions you don't need to modify existing permissions. The application works under logon user role with the user's permissions so a user can't use the files if it is prohibited by NTFS.
If you want to create a new structure of folders, you need to set necessary NTFS permissions to the folders for domain users.