Base solution for your next web application
Open Closed

IIS_IUSRS permission is not enough? #5037


User avatar
0
fguo created

I am using Core+Angular version. While I deploy the Angular part onto IIS server, I find its folder permission must be assigned to the local user (e.g. MyServer\users). Otherwise, it returns 401 unauthorized error. I've tried to add same permissions to group of IIS_IUSRS and IIS APPPOOL group, but no help.

I don't want any local user to access that folder. That is why I need to remove MyServer\users group from the permission list. This way works on my other applications on same IIS.

Do you have any idea why AspNetZero Angular site needs a local users permissions on IIS?

Thanks,


3 Answer(s)
  • User Avatar
    0
    alper created
    Support Team

    Hi,

    <ins><span style="color:#FF0000">AspNet Zero Angular IIS Deploy</span></ins>

    After ng build command, dist folder contains all necessary files to create a web site under IIS. One important thing is that; Angular uses client side routing. If you refresh a page (F5) then IIS will handle the request and naturally can not find the requested path and returns a HTTP 404 error. We should configure IIS to redirect all requests to the index.html page (or, to the root path).

    ASP.NET Zero Angular UI contains a web.config file. You can copy it to the web site's root folder to overcome the problem described above.

    <a class="postlink" href="https://aspnetzero.com/Documents/Development-Guide-Angular#iis-deploy">https://aspnetzero.com/Documents/Develo ... iis-deploy</a>


    <ins><span style="color:#FF0000">Setting IIS Permissions</span></ins>

    ApplicationPoolIdentity is actually the best practice to use in IIS7. It is a dynamically created, unprivileged account. To add file system security for a particular application pool see IIS.net's "Application Pool Identities". The quick version:

    If you application pool is named "DefaultAppPool" (just replace this text below if it is named differently)

    Open Windows Explorer Select a file or directory. Right click the file and select "Properties" Select the "Security" tab Click the "Edit" and then "Add" button Click the "Locations" button and make sure you select the local machine. (Not the Windows domain if the server belongs to one.) Enter "IIS AppPool\DefaultAppPool" in the "Enter the object names to select:" text box. (Don't forget to change "DefaultAppPool" here to whatever you named your application pool.) Click the "Check Names" button and click "OK".

    <a class="postlink" href="https://stackoverflow.com/a/7334485/1767482">https://stackoverflow.com/a/7334485/1767482</a>

  • User Avatar
    0
    fguo created

    I did exactly same on both of your quoted, but no help. There is another answer on your second link about Anonymous Authenticate. It gives me a clue.

    The login page is accessible by anonymous, so the "Anonymous Authenticate" in IIS must be enabled. The default "Anonymous user identity" setting is IUSR on IIS. I have to explicitly add IUSR and assign its permission (“read” is enough).

    Another alternative is simply select “Application pool identity” as Anonymous user identity.

    I tried both. All work.

    Thanks again!

  • User Avatar
    0
    alper created
    Support Team

    good to hear that ;)