Access right troubleshooting in EPiServer and IIS

In a recent project, the EPiServer site was setup on a new server configured by a third party, and I came across a few access rights problems due to faulty IIS configuration.

In this blog post I'll share those scenarios, and list some other very common scenarios that can cause access rights problems. In some cases, the site does not display at all, and in other cases you get an EPiServer login dialog when you should not.

This was experienced in an IIS7.5 environment. I have not yet had time to check if the same applies to IIS5/6 environments. I'll update the blog post with more info. Comments and corrections are welcome!

Application pool identity/user must have read access to physical files

When a site is created, the corresponding app pool has the user/identity set to Application Pool Identity by default. This means that the built-in user account IUSR is used to access the physical files. This usually works out-of-the-box.

The server guys had created separate IIS application pools user accounts for each site on the server, instead of using the built-in Application Pool Identity. The new app pool user accounts has not been granted read access to the physical file path, resulting in an error message when loading the startpage.

Setting the app pool identity in IIS7:
Application pools > (right-click your app pool) > Advanced settings > Identity > Select Built-in or Custom account.

Solution:

Grant read access to the physical file path for the selected application pool user.
Simply browse your file explorer to the website folder, right click > Properties, Security tab > add Read permissions for your custom app pool user account.

Anonymous user identity must be same as app pool identity

When Anonymous Authentication is enabled in IIS, the built-in IUSR account is used by default. Since the server guys had configured the application pool to use a custom user account, anonymous authentication no longer worked. This led to an EPiServer login dialog when browsing the startpage of the site (i.e. as an anonymous user).

Solution:

Set anonymous user identity to be the same user account your application pool uses.

Setting the anonymous authentication user identity in IIS7:
Sites > (click your site) > (double click the Authentication menu icon) > (right click Anonymous Authentication) > Set to your custom app pool user account.

Thanks to Daniel Berg (@bergdaniel) for help.

Other common EPiServer access rights problems

If you are experiencing access rights problems (site won't load, shows the EPiServer login dialog, or login fails), it is most likely a trivial issue. Try the following checklist:

Getting a login dialog:

1. You forgot to give the group "Everyone" read access to the web page.
2. The web page has expired (Stop Publish date has passed).
3. The web page has been deleted to the Recycle Bin (where Everyone/anonymous users don't have read access).
4. The web page contains a link to (or is configured as a shortcut to) a page that has been deleted.
5. The web page contains an image or document from the file archive where the anonymous user doesn't have read access.

Login fails:

1. The user you are trying to login with is not a member of a privileged group. I.e. one of the groups in web.config under <location path="episerver" and <location path="episerver/admin"> (your UI path may differ from this example).
2. If your user account is a domain user account and you are not connected to the domain, you might need to create a local Windows user account and login with that.
3. User is locked out from too many failed login attempts.
4. User account is not active.

For more tips on access rights and security, read Fredrik Haglunds excellent blog post EPiServer - Security and Access Control (1/2), or check the Administrator Manual.