Not enough to set permissions on web.config - must set permissions on entire site folder
Hi!
I recently installed a fresh copy of Umbraco 4.0.3 on a Windows 2008 server (IIS7). When I got to the step where Umbraco wants to alter web.config with the correct database settings, I get an error saying Umbraco can't write to the web.config file; something along these lines:
Could not save the web.config file. Please modify the connection string
manually. An error occurred loading a configuration file: Access to the
path 'C:\Inetpub\mysite\qgc94uzq.tmp' is
denied. (C:\Inetpub\mysite\web.config)
I double checked the permissions on the web.config file and the user that my application pool is using (NETWORK SERVICE) had full permissions on the web.config file as well as on all the Umbraco folders it should have access to. Editing the web.config file manually didn't solve the problem since I still can't move on to the steps where the Umbraco database is installed, password is set and modules are installed.
Then I set full control for NETWORK SERVICE on the entire containing folder(mysite) and then Umbraco had no problems writing to the web.config file. I'm not sure why this is happening, but if you look at the error message it seems like it wants to start writing to some sort of temp-file which is created in the site root folder and I'm guessing that if NETWORK SERVICE doesn't have access to the root folder, it can't create this temp-file and thus not edit web.config.
I have not experienced this problem in the past, when I was developing on a Windows 2003 Server. Perhaps this is something new that has to do with how Windows 2008 Server works?
Can anyone verify my observation? I wouldn't say it's an Umbraco bug, but if other users are experiencing the same error while installing Umbraco it will be percieved as an Umbraco error and should be addressed in documentation or help texts.
I hope Torben gets to read this as well. Server 2008 is a strange beast, I have it installed on my home-office server.
Server 2008 runs IIS7.5, not IIS7. Because of this, application pool identity is not the NETWORK SERVICE user by default, as we are used to having it. Application pool identity is, by default, set to a value of "ApplicationPoolIdentity". I have no idea what this refers to, but I do know that it can be changed to behave like Server 2003 and IIS6/7!
To switch it, in IIS7.5, go to the Application Pools section, then click "Set Application Pool Defaults..." in the Actions pane. Under "Process Model", find "Identity", and change it to "NetworkService". This ensures new application pools are set up with the correct credentials. To change it for specific app pools, click the relevant app pool, then click "Advanced Settings" in the Actions pane.
I noticed this when I was installing my Windows 2008 Server and changed the default application pool user to NETWORK SERVICE during setup, long before I started adding sites to IIS. So this is not what is causing my problems.
Looking at my current installation (Windows WebServer 2008, SP2, only a couple of months old) it says I'm running IIS 7.0. I think there might be a difference depending on which "flavour" of Win 2008 you are running?
So the problem with permissions on web.config remains as far as I can see.
Ah, I see - I'm running x64 R2 so that could be an explanation of how I have IIS7.5.
I find it odd that Umbraco needs to write a temp file to the directory. However, have you set Network Service to modify permissions on the whole directory, not just the web.config?
Sorry, just read above posts. I must say that I can't replicate this, but then I set NETWORK SERVICE to have write access to my whole root, as I'm running on shared hosting in Medium Trust so any Full Trust code won't run.
Out of curiosity, what mode is your application pool running in - Classic or Integrated?
I can confirm that other developers have run into this problem as well. It occurs when you try to change web.config programmatically, so it's not a specific Umbraco error.
I keep looking for a solution (other than giving your application pool user write permissions in the root folder) but that seems to be what everyone recommends. To me this solution seems like a kludge. I'm thinking there might be security issues in giving you app pool user full rights inside the root folder(?)
There are issues with using the in-built .NET Configuration classes as they do require Full Trust, which I have successfully rewritten to use an XmlDocument helper to work around this. However, I was unaware that these methods need to make use of a temporary file in the site root to be able to write modifications.
I am currently in discussions with Neils to get the core updated to reflect my recent changes - this may well solve your problem, but until then, the fix (kludge or otherwise) would be to set write permissions for Network Service on the whole folder.
Not enough to set permissions on web.config - must set permissions on entire site folder
Hi!
I recently installed a fresh copy of Umbraco 4.0.3 on a Windows 2008 server (IIS7). When I got to the step where Umbraco wants to alter web.config with the correct database settings, I get an error saying Umbraco can't write to the web.config file; something along these lines:
Could not save the web.config file. Please modify the connection string manually. An error occurred loading a configuration file: Access to the path 'C:\Inetpub\mysite\qgc94uzq.tmp' is denied. (C:\Inetpub\mysite\web.config)
I double checked the permissions on the web.config file and the user that my application pool is using (NETWORK SERVICE) had full permissions on the web.config file as well as on all the Umbraco folders it should have access to. Editing the web.config file manually didn't solve the problem since I still can't move on to the steps where the Umbraco database is installed, password is set and modules are installed.
Then I set full control for NETWORK SERVICE on the entire containing folder (mysite) and then Umbraco had no problems writing to the web.config file. I'm not sure why this is happening, but if you look at the error message it seems like it wants to start writing to some sort of temp-file which is created in the site root folder and I'm guessing that if NETWORK SERVICE doesn't have access to the root folder, it can't create this temp-file and thus not edit web.config.
I have not experienced this problem in the past, when I was developing on a Windows 2003 Server. Perhaps this is something new that has to do with how Windows 2008 Server works?
Can anyone verify my observation? I wouldn't say it's an Umbraco bug, but if other users are experiencing the same error while installing Umbraco it will be percieved as an Umbraco error and should be addressed in documentation or help texts.
Here's a link to a similar post.
Regards,
Thomas Kahn
Hi Thomas,
I hope Torben gets to read this as well. Server 2008 is a strange beast, I have it installed on my home-office server.
Server 2008 runs IIS7.5, not IIS7. Because of this, application pool identity is not the NETWORK SERVICE user by default, as we are used to having it.
Application pool identity is, by default, set to a value of "ApplicationPoolIdentity". I have no idea what this refers to, but I do know that it can be changed to behave like Server 2003 and IIS6/7!
To switch it, in IIS7.5, go to the Application Pools section, then click "Set Application Pool Defaults..." in the Actions pane.
Under "Process Model", find "Identity", and change it to "NetworkService". This ensures new application pools are set up with the correct credentials.
To change it for specific app pools, click the relevant app pool, then click "Advanced Settings" in the Actions pane.
Hope this helps.
Benjamin
Hi Benjamin!
Thanks for replying!
I noticed this when I was installing my Windows 2008 Server and changed the default application pool user to NETWORK SERVICE during setup, long before I started adding sites to IIS. So this is not what is causing my problems.
Looking at my current installation (Windows WebServer 2008, SP2, only a couple of months old) it says I'm running IIS 7.0. I think there might be a difference depending on which "flavour" of Win 2008 you are running?
So the problem with permissions on web.config remains as far as I can see.
Regards,
Thomas Kahn
Ah, I see - I'm running x64 R2 so that could be an explanation of how I have IIS7.5.
I find it odd that Umbraco needs to write a temp file to the directory. However, have you set Network Service to modify permissions on the whole directory, not just the web.config?
Cheers,
Benjamin
Sorry, just read above posts. I must say that I can't replicate this, but then I set NETWORK SERVICE to have write access to my whole root, as I'm running on shared hosting in Medium Trust so any Full Trust code won't run.
Out of curiosity, what mode is your application pool running in - Classic or Integrated?
I can confirm that other developers have run into this problem as well. It occurs when you try to change web.config programmatically, so it's not a specific Umbraco error.
I keep looking for a solution (other than giving your application pool user write permissions in the root folder) but that seems to be what everyone recommends. To me this solution seems like a kludge. I'm thinking there might be security issues in giving you app pool user full rights inside the root folder(?)
/Thomas Kahn
Benjamin Howarth asked: Out of curiosity, what mode is your application pool running in - Classic or Integrated?
I have my application pool configured for integrated pipes for all Umbraco 4 sites.
/Thomas
Hi Thomas,
There are issues with using the in-built .NET Configuration classes as they do require Full Trust, which I have successfully rewritten to use an XmlDocument helper to work around this. However, I was unaware that these methods need to make use of a temporary file in the site root to be able to write modifications.
I am currently in discussions with Neils to get the core updated to reflect my recent changes - this may well solve your problem, but until then, the fix (kludge or otherwise) would be to set write permissions for Network Service on the whole folder.
Benjamin
Hi ben. Was just having the same problem and fixed it by setting App Pool to "Enable 32 bit applications". Just thought you might want to check this.
Jeff
Jeff: Is this only an option if you are running the 64-bit version of Windows 2008 Server?
/Thomas
I'm not sure if I had quite the same problem, but I was able to resolve a similar permission problem by changing
to false in web.config.
Had the same issue. Benjamins suggestion to change app pool owner to Network Service worked for here. Thanks! Thumb up!
We just had the same issue on a clean install on a new Windows 7 Ultimate 64-bit installation.
Cheers for the post Ben :)
Chris
Big thumbs up Ben! :) Lx
Doug Roubar posted this excellant link earlier today;
Basically solves this issue.
http://stevesmithblog.com/blog/working-with-application-pool-identities/
Thanks Ben :)
is working on a reply...