IIS Permissions for App Pool Accounts

The following section describes how to configure IIS permissions for Application Pool Accounts.

The Application Pool Accounts used in a K2 installation are:

Setting Application Pool Rights

The K2 Application Pool Identity accounts will require elevated permissions to run the application pool. We will use the aspnet_regiis command to configure this. This tool ships with the .NET Framework, and enables you to easily set all the necessary NTFS permissions, IIS_WPG group membership, security policy user rights assignments, and IIS metabase access rights to allow and ASP.NET Application Pool Identity to work. For more information, see the MSDN article on setting security rights for .NET Applications, at http://msdn2.microsoft.com/en-us/library/ms998297.aspx.

To use the aspnet_regiis command, perform the following steps:

  1. Open a command prompt (Start > Run > cmd).
  2. Change directories to the .NET Framework folder (C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319).
  3. Type aspnet_regiis -gadomain\K2 Designer Site Application Pool account (for the Design Time site) and hit Enter.
  4. After the command completes, type iisreset and hit Enter.

SmartForm permissions

SmartForms requires the Impersonate a client after authentication right on the Local Security Policy

To add the rights perform the following steps:

  1. Open the Local Security Settings (StartAdministrative Tools > Local Security Policy)
  2. Click Local Policies in the Local Security window
  3. Click User Right Assignment
  4. Double-click Impersonate a client after authentication policy.
  5. Click Add User or Group.
  6. Add "IIS_IUSRS" and "Administrators" and then click OK each time.
  7. Click OK, at the bottom of Impersonate a client after authentication window.

IIS Group Membership

The K2 Web Service Account must be added to the IIS_IUSRS group. To achieve this follow the steps below:

  1. Go to Active Directory Users and Computers.
  2. Next click the domain in question, for the purposes of this example the domain will be denallix.com.
  3. Click on the Builtin folder and the IIS_IUSRS group will be visible.
  4. Right click on the IIS_IUSRS group, select Properties.
  5. Next click on the Members tab, then the Add button.
  6. Enter the name of the User account in part or whole into the Add User field.
  7. Click Check Names, to confirm the name or make a selection if there are more than one with similar naming.
  8. Click OK.
  9. Click OK when complete.

Considerations

The Application Pool user can not be a Protected user. It should not be in the Protected Users groups in Active Directory.

To remove the user from the Protected User group follow the steps below:

  1. Open Active Directory Users and Computers.
  2. Go to the Users container.
  3. On the right panel, find the Protected Users group.
  4. Remove the Application Pool user account from the group.