Search code examples
iiswixwix3

How to set permission for IIS AppPool identity when creating website in Wix Toolset?

I'm writing a Wix Toolset installer to install an Angular + asp.net core application in IIS on Windows Server 2016. I create a new Website and a new Application Pool. I want to grant full permission to the Application Pool identity on the newly created website folder path. I followed the step given here : https://www.codeproject.com/Articles/115036/Creating-WIX-Installer-for-ASP-NET-Web-Application? so I have 3 files :

  • Setup.wxs
  • IISConfiguration.wxs
  • WebSiteContent.wxs

I set up the website and permissions in IISConfiguration.wxs.

<DirectoryRef Id="WEBSITE">    
        <Component Id="WebSiteSiteNameCmp" Guid="{ED376FD7-D4DB-4675-8BF4-1DCC1AF1C66B}" KeyPath="yes" >
            <iis:WebSite Id="WebSiteName"
                  Description='WebSiteName'
                  Directory="WEBSITE"
                  AutoStart="no"
                  ConfigureIfExists="yes"
                  StartOnInstall="no" >
              <iis:WebAddress Id="WebSiteAdressHttps" Port="443" IP="*" Secure="yes"/>
              <iis:WebAddress Id="WebSiteAdressHttp" Port="80" IP="*" Secure="no"/>
              <iis:WebDirProperties Id="WebSiteProperties" AnonymousAccess="yes"
                BasicAuthentication="no" WindowsAuthentication="no" />
              <iis:WebApplication Id="WebSiteNameSite" Name="WebSite" WebAppPool="WebSiteAppPool" />
            </iis:WebSite>
        </Component>

        <!-- Configuring app pool -->
        <Component Id="WebSiteAppPoolCmp" Guid="{009052A8-19AE-452e-AE34-6DC8E929DA08}"
        KeyPath="yes" Permanent="yes"  Win64="yes">
        <iis:WebAppPool Id="WebSiteAppPool" Name="WebSiteAppPoolName" ManagedPipelineMode="integrated" />
        </Component>
        <Component Id="WebSitePermissionCmp" Guid="{4425EFB0-A580-44B7-9C04-54EBD2E4ECB1}">
             <CreateFolder> 
               <util:PermissionEx User="IIS AppPool\WebSiteAppPoolName" GenericAll="yes"/> 
             </CreateFolder> 
         </Component>
    </DirectoryRef>

But then the installer rollsback because the AppPool isn't created yet when trying to set permissions on the folder. I have the following error in my logs :

 ExecSecureObjects: Error 0x80070534: failed to get sid for account: IIS AppPool\WebSiteAppPoolName.

What should I do to set the permissions at the "good" time ?

Solution

  • I finally used the custom action solution with icalcs to manage the permissions on the newly created application pool. This is what I add in my Setup.wxs :

    <CustomAction Id='AppPoolPermission' Directory='WEBSITE' 
ExeCommand='"[SystemFolder]icacls.exe" "[INSTALLDIR]." /grant "IIS AppPool\WebSiteAppPoolName:(OI)(CI)F" /T' Return='check'/>   

<InstallExecuteSequence>
  <Custom Action='AppPoolPermission' After='InstallFinalize' />
</InstallExecuteSequence>

    I also removed the WebSitePermissionCmp from IISConfiguration.wxs. It's not the ideal solution but for me it works. I don't know if this can be achieved only with WIX without custom action.

    Another post concerning this issue : How to specify the AppPool Identity in a WiX Permission Element? I don't fully understand the answer but it also seem to be using custom actions.