iis - How to specify the AppPool Identity in a WiX Permission Element?

Question

I'm updating one of our installers for .NET 4.0 and IIS 7.5, and one of the tasks is to switch the AppPool over to use its own identity. I have found this fairly trivial in WiX using the IIS Extension, but I'm struggling with two extra sets of permissions that we define, specifically to grant write permissions to the AppPool Identity:

<Directory Id="LOGS_LOCATION" Name="logs">
    <!-- SourceDirlogs -->
    <Component Id="LogsFolder" Guid="{3A7C38C7-6604-4063-A425-D62427B21AEE}" KeyPath="yes" DiskId="1">
        <CreateFolder>
            <!-- SYSTEM account is automatically given access, but set other ACEs here to avoid Users having access -->
            <Permission User="Administrators" GenericAll="yes"/>
            <Permission User="[ASPNET_USER]" Domain="[ASPNET_DOMAIN]" GenericRead="yes" GenericWrite="yes" Read="yes" Delete="yes" DeleteChild="yes" Traverse="yes"/>
            <!-- IIS5: ASPNET, IIS6: NetworkService, IIS7: AppPool identity -->
        </CreateFolder>
    </Component>
</Directory>

ASPNET_USER and ASPNET_DOMAIN are defined to be AppPoolName and IIS APPPOOL respectively (where AppPoolName exactly matches the name of the App Pool).

When I run the installer, I get a 1609 error stating that IIS APPOOLAppPoolName is not a valid identity and the installation fails. How can I specify the App Pool Identity to the Permission element so that the web app can write to the logs directory? Do I need to use a different identity?

Answer 1

That's an interesting question.

When you author a Permission element, it results in the record(s) of the LockPermissions MSI table. According to the MSDN, the records in this table are served by the InstallFiles, CreateFolders and WriteRegistryValues actions. When CreateFolder element is a parent, it's obviously CreateFolders action.

The security account corresponding to the ApplicationPoolIdentity is created when the appropriate AppPool is created. Now, ConfigureIIs action is scheduled later in the sequence than CreateFolders. It obviously doesn't make any sense to move ConfigureIIs before CreateFolders.

I'm not sure this will work, but I would try the following:

• Replace Permission element with PermissionEx element (the one from WiXUtilExtension). It covers the functionality of Permission, plus adds more flexibility (for instance, not overwriting the ACLs, but appending).

• Move the SchedSecureObjects action (the one responsible for handling PermissionEx stuff) after ConfigureIIs action (the one responsible for IIS stuff) if it's not there already.

Now by the time permissions are to be set, the appropriate security account should exist. You might also want to play with the way you reference it, for instance, with or without the domain part.