I have installed an ASP.NET application on IIS 7 that is storing information on a Windows network share. It has installed successfully and created all the necessary folders on the share. The application runs under the Network Service account. Usually the permissions are set on these folders but they weren't this time, so I have assigned the permission to them.

The problem is that I am getting an access denied error when trying to navigate to the page as the application cannot access one of the folders. I have assigned the everyone permission to the share, and this has now fixed the problem, but remove it and then problem returns. I obviously don't want to just leave the everyone permission on this folder.

Does anyone know what the problem might be, or what can be used instead of the everyone account?

I'm not an IIS expert so apologies if this is vague or ambiguous in places!


I'm assuming that you are assigning Everyone Full Control to the whole network share, and not just a particular folder inside the share.

You probably already know this, but Windows manages two permissions for sharing - file security and sharing settings. Both will have to be setup in order to access a network share. If you right-click a shared folder, you'll need to set up permission in both the Sharing and Security tabs.

I suspect the problem is actually related to using the NETWORK SERVICE account and not your sharing permissions. The service level accounts (SYSTEM and NETWORK SERVICE) are local to the machine you're on, which has some consequences. For instance, consider how your permissions are setup using fully-qualified names:

On your application server, the account running your ASP.NET application is "5lovak's Server\NETWORK SERVICE". On the network share, which is on another machine, the local account is actually "5lovak's Network Share Server\NETWORK SERVICE".

Despite having the same account name, they are different accounts, so you won't be able to access the share that way.

I think the appropriate way to set this up is to create a new Windows user account and use it exclusively for this purpose. Windows has traditionally had a "cheap" way of faking a domain-like user: just create a local user on both machines and ensure they both have the same password. I'm not sure why this doesn't apply for NETWORK SERVICE and SYSTEM, but I suspect there are good reasons.

So, try this:

  1. On your IIS machine, create a user called IUSR_SHARE (or whatever). Set a password!
  2. On your network share machine, create a user called IUSR_SHARE and set the same password.
  3. In IIS Manager, select the application pool that your web app is using (create a new one if you are using the default ones). Click on Advanced Settings in the right Actions bar. Under Process Model, change the user to IUSR_SHARE.

I don't have a setup here where I can easily test this, but I suspect it'll work.

  • Thanks for this. I created the new account as you said and this got it working! – 5lovak Sep 28 '11 at 13:57

Your Answer

By clicking "Post Your Answer", you agree to our terms of service, privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged or ask your own question.