"IIS Manager cannot verify whether the built-in account has access"

26
votes

Ok, I'm designing a web app using asp.net and need to use the IIS Application Manager to control it. I have a server and all of that but when I tried to go into it and set everything up I got a warning saying:

The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that <domain>\<computer_name>$ has Read access to the physical path. Then test these settings again.

When I tried to browse my app using the IIS, it timed out, I don't know anything about IIS really outside from research I've done online. Just looking for some clarification on it. Thanks for any help.

5
asp.netiis
Are you attempting to browse using //localhost/ or your external IP? - Josh
3 years later, and I'm having this same problem too. My app pool ID is Network Service and I've added that to the IIS_IUSRS group and ensure that group has modify rights (Read, Write, Modify). I set up the local hostname in my host file and when I ping the hostname, I get the correct loopback IP. IIS responds to localhost by showing the default web site, but it doesn't appear to work for other sites. All bindings are correct and confirmed. - Carnix

5 Answers

11
votes

The server is configured to use pass-through authentication [you can verify this by selecting the site, choosing basic settings -> Connect as... -> {and you should see Application User (pass-through authentication) is set}]. The built in account is set on the app pool's settings. The error message is telling you that the account on the app pool can't access the folder set on the activated application. The normal group you need to put onto a folder is IIS_USERS with Read, List, Read & Execute. IIS timed out because it couldn't initialize the site to load because the OS won't let it touch the files to see what it should load for the request. You might wonder why you didn't get a 401, but its because IIS can't get far enough to actually start giving you any sort of status on your requests.

4
votes

I've found an microsoft article which says that IUSR needs to have the proper rights for both NTFS side and the network side:

https://docs.microsoft.com/en-us/iis/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis

I was setting up the tomcat mod_jk and got it working with these instructions. enter image description here

enter image description here

2
votes

Hope this helps someone.

In my case, I had to add read access for IIS_IUSRS group.

Credits

2
votes

Got stuck on this for a day... My solution, after trying to go the accounts route with no luck, was to open 'Turn Windows Features On' > then Find IIS and add all the development features. This did the trick for me. enter image description here

0
votes

I got the same error and this was the fix for me,

enter image description here