I have a web site (used to manage various parts of our software) that needs the permissions required to start/stop other application pools.
I've created a user and set the app pool identity to custom, however the web app still can't start/stop the app pools. I get the following Error:
System.UnauthorizedAccessException: Filename: redirection.config
Error: Cannot read configuration file due to insufficient permissions
at Microsoft.Web.Administration.Interop.AppHostWritableAdminManager.GetAdminSection(String bstrSectionName, String bstrSectionPath)
at Microsoft.Web.Administration.Configuration.GetSectionInternal(ConfigurationSection section, String sectionPath, String locationPath)
at Microsoft.Web.Administration.ServerManager.get_ApplicationPoolsSection()
at Microsoft.Web.Administration.ServerManager.get_ApplicationPools()
Discussion here suggests setting the application pool to local system or administrator, this does work, but I don't want to do this for security reasons (external support will need access this site).
I did give the user higher permissions (as suggested here), starting by making it part of the local administrators group, but initially this didn't work, and giving the user read/write/mod permission on C:\Windows\System32\inetsrv\config also didn't work. I must have done something wrong as local administrator now works, however this still isn't what I want.
So can anyone suggest the permissions I need to add to this user, and how can I apply them?
An answer my problem (but different question) is here, but to clarify, I think I need to give an individual user "IIS Runtime Operation Permissions", does anyone know how to do this, if indeed this is the permissions I require?
If what you are trying is to allow them to be able to say Recycle an Application Pool or perform any runtime operation (Start, Stop, query status, etc) then you need to be part of Administrators group. This is because the RSCA API is protected to only be allowed to members of Administrators group.
As suggested in the linked question you can ACL config files (and directory, and even encryption keys) to be able to read/write configuration, but to allow runtime access you would need to modify DCOM permissions for our RSCA api.
I would probably instead suggest maybe that you protect the actions in your web site that need this by only impersonating an Administrator account right before running the code you need. You also could consider implementing the Gatekeeper pattern where the highly privileged actions are only exposed in one application running as Administrator and that one is protected to only be accessible from known and limited IP Address and require strong authentication, and you call those from the other management site.