I am running IIS 7 on Windows Server 2008 R2 with PHP 5.4. One of my PHP scripts is trying to access a file on a protected network share using a UNC path. How can I change
For IIS 7 running on Windows Server 2008 R2 ... In the IIS Manager
, select the Application Pool
under which your Web Site is running.
Click "Advanced Settings". There will be an entry for Identity
(it is under the Process Model
section). Click it, provide credentials for your account that has permission to access the share.
UPDATE
You should make sure that if you are using an Active Directory Domain Account, you provided that correctly under Identity
for the running App Pool. For example, MYDOMAIN\myAccount
.
After making this change, you will need to do the following:
UPDATE II
From the comment discussion on this answer, @HydroPowerDeveloper was able to get the PHP script to be able to access the network share via UNC path using WebSite -> Basic Settings -> "Connect As" and setting the credentials there.
In the past, I have always used the approach of setting Identity
via Application Pool
and that has allowed my code to access Network shares via UNC path.
However, all of the sites/applications I have deployed on IIS
are .NET based WCF or ASPX sites.
I would speculate (but am not 100% certain on this, would need research/testing to confirm) that the Identity
specified in the Application Pool
is used by executing .NET code, whereas the "Connect As" is used by the PHP script.
To resurrect an old question...
I've just been setting up a Win 2016 server that uses some Perl to access a UNC share. I set the Application Pool to an account that I verified had the correct permissions on that share. I then set up my site to 'Connect as...' (under 'Basic Settings') the same user. I still couldn't get access working.
Much head scratching later, I realised that my 'Virtual Directory', cgi-bin, was running under the original 'pass through' account. I then set up the virtual directory to 'Connect as...' the same account as the site and the application pool and, bingo, it all works fine.
So, remember to update any Virtual Directories as well as the site and App Pool...
Generally the Application Pool is set using the least amount of privileges as possible.
http://msdn.microsoft.com/en-us/library/ff647402.aspx
The easiest route is to allow access to the current IIS account.
In Explorer, navigate to the shared directory.
Right Click -> Properties -> Security
If you don't see the expected IIS user in the list (Group or user names), edit and add the user as required.
I used "NETWORK SERVICE" -> Check names.
The detailed instructions are on that site.
In this way, the system is still restricted, we're ONLY allowing access to specific directories, we don't need to create any new users, we don't need to recycle the application pool and we don't need to perform any nifty impersonation code.