Whenever a new application pool is created, IIS creates a security identifier (SID) that represents the name of the application pool itself. For example, if you create an application pool with the name "PK Protect," a security identifier with the name "PK Protect" is created in Windows. Resources can be secured by using this identity. However, the identity is not a real user account and will not show up as a user in the Windows User Management Console.
This can be configured by selecting a folder in Windows Explorer and adding the "PK Protect" identity to the folder's Access Control List (ACL).
- Open Windows Explorer
- Select the directory the PEM Administrator is installed under (eg: c:\web\mds)
- Right click the directory and select Properties
- Select the Security tab
- Click the Edit button and then Add button
- Click the Locations button and make sure that you select your computer.
- Enter IIS AppPool\<myappoolname> (eg: IIS AppPool\PK Protect) in the Enter the object names to select: text box.
- Click the Check Names button and click OK.
- Check Modify under the Allow column, and click OK, and OK.
By doing this, the file or directory you selected will now also allow the PK Protect identity access.
You can do this via the command-line by using the ICACLS tool. The following example gives modify access to the Smartcrypt identity to the folder C:\web\mds and all contents.
ICACLS "C:\web\mds" /grant "IIS AppPool\Smartcrypt":M /t