Geek Answers Handbook

How to specify AppPool ID in WiX permission element?

I am updating one of our installers for .NET 4.0 and IIS 7.5, and one of the tasks is to switch AppPool to use its own authentication. I found this pretty trivial in WiX using the IIS extension, but I'm struggling with two additional permission sets that we define, in particular, to provide write permissions for Identity AppPool:

<Directory Id="LOGS_LOCATION" Name="logs"> <!-- SourceDir\logs --> <Component Id="LogsFolder" Guid="{3A7C38C7-6604-4063-A425-D62427B21AEE}" KeyPath="yes" DiskId="1"> <CreateFolder> <!-- SYSTEM account is automatically given access, but set other ACEs here to avoid Users having access --> <Permission User="Administrators" GenericAll="yes"/> <Permission User="[ASPNET_USER]" Domain="[ASPNET_DOMAIN]" GenericRead="yes" GenericWrite="yes" Read="yes" Delete="yes" DeleteChild="yes" Traverse="yes"/> <!-- IIS5: ASPNET, IIS6: NetworkService, IIS7: AppPool identity --> </CreateFolder> </Component> </Directory>

ASPNET_USER and ASPNET_DOMAIN defined as AppPoolName and IIS APPPOOL respectively (where AppPoolName exactly matches the name of the application pool).

When I run the installer, I get an error 1609, which indicates that IIS APPOOL\AppPoolName not a valid identifier, and the installation fails. How do I specify the application pool identifier in the Permission element so that the web application can write to the log directory? Do I need to use a different personality?

+3
source share
1 answer

This is an interesting question.

When you create a Permission element, this results in the MSP table LockPermissions table entry (s). According to MSDN, the entries in this table are served by InstallFiles , CreateFolders, and WriteRegistryValues. When the CreateFolder element is parent, this is explicitly the CreateFolders action.

A security account corresponding to ApplicationPoolIdentity is created when the corresponding AppPool is created. Now the ConfigureIIs action is scheduled later in the sequence than CreateFolders. Obviously, it makes no sense to move ConfigureIIs before CreateFolders.

I'm not sure if this will work, but I would try the following:

  • Replace the Permission element with the PermissionEx element (that of WiXUtilExtension ). It covers the functionality of Permission, plus it adds more flexibility (for example, not by rewriting ACLs, but by adding).

  • Move the SchedSecureObjects action (the one responsible for handling PermissionEx materials) after the ConfigureIIs action (the one responsible for IIS material) if it does not already exist.

Now that access permissions must be set, an appropriate security account must exist. You can also play with the way you refer to it, for example, with or without a part of a domain.

+7
source

More articles:


All Articles