.NET Framework - Problem writing to c:\windows\temp when using an application pool

Asked By cowznofsky on 21-Feb-09 01:43 AM
I have an asp.net web service, and I want to run it using an
application pool with a specific identity.
I followed the instructions here,

http://msdn.microsoft.com/en-us/library/ms998297.aspx

which indicate that write permissions have to be granted for a temp
folder under windows\microsoft.net.

But, when I try to use the service, most methods work (basically just
database calls), but one fails with the error:
file 'C:\\Windows\TEMP\8sbwhwxy.0.cs' could not be found."

So it seems I need write permissions to that folder as well? If I run
the service with the default account, on an account that is more
privileged, then I don't get the error.




Juan T. Llibre replied on 19-Feb-09 07:45 PM
re:
!> So it seems I need write permissions to that folder as well?

Yes, the account ASP.NET runs as needs permissions both to
the Windows temp folder and to the Temporary ASP.NET folder.

Here's the complete list of directories for which the ASP.NET account needs ACL permissions :

http://msdn.microsoft.com/en-us/library/kwzs111e.aspx

If you're running ASP.NET 2.0 or above,
you can assign the required permissions with the command :

aspnet_regiis -GA MachineName\Account





Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
=========================
cowznofsky replied on 21-Feb-09 01:44 AM
On Feb 19, 7:45=A0pm, "Juan T. Llibre" <nomailrepl...@nowhere.com>
ds ACL permissions :
rce

Thanks for that link.

However, that command (also referenced in the link in my post) didn't
do the trick for c:\windows\temp.  I had to add permissions for the
IIS_WPG group to that folder myself.
Juan T. Llibre replied on 20-Feb-09 06:38 PM
re:
!> Thanks for that link.

You're quite welcome.
That page saved my bacon once...and has saved a lot of other people's bacon since.

re:
!> If I run the service with the default account, on an
!> account that is more privileged, then I don't get the error.

Why do you need to run the service on an account other than NT AUTHORITY\NETWORK SERVICE ?

re:
!> I had to add permissions for the IIS_WPG group to that folder myself.

Interesting.
I'm working with the default account (NETWORK SERVICE), so I never noticed that.




Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
=========================
On Feb 19, 7:45 pm, "Juan T. Llibre" <nomailrepl...@nowhere.com>

Thanks for that link.

However, that command (also referenced in the link in my post) didn't
do the trick for c:\windows\temp.  I had to add permissions for the
IIS_WPG group to that folder myself.
cowznofsky replied on 24-Feb-09 11:02 PM
On Feb 20, 6:38=A0pm, "Juan T. Llibre" <nomailrepl...@nowhere.com>
on since.
NETWORK SERVICE ?
d that.
eeds ACL permissions :
.
ce

The reason for using another account is that I'm using Windows
Authentication to connect to SQLServer.  My thought was to create a
domain\user account specifically for this purpose, grant access in
SQLServer, and run the services under this account.

If it's a better practice to grant access specifically to the machine
account, then I would certainly welcome this point of view.