Click here to Skip to main content
15,844,903 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more: , +
I have an application that deploys code to various target servers. Recently Windows 2012 servers have been added as target servers but the application's agent service (which is installed as a service on each target) returns an 'Access denied' message when trying to perform any tasks linked to IIS. For example the application will try to Stop the relevant App Pools and Sites before copying the code to the target. First thing the App does when trying to stop the App Pool is determine which app pool needs to be stopped, sample code below:

private const string m_adSitesPath = @"IIS://{0}/W3SVC";

private DirectoryEntry FindSite(int nPort)
        using (DirectoryEntry sites = new DirectoryEntry(string.Format(m_adSitesPath, m_RemoteServerName)))

            foreach (DirectoryEntry de in sites.Children)
                if (de.SchemaClassName == "IIsWebServer")
                    string port = GetNullableDirMultiValuePart(de, "ServerBindings", 0, 1);
                    if (nPort == int.Parse(port))
                        return de; 
        return null;

App fails at sites.RefreshCache(); with Access Denied. On the actual server the ID the Agent is logged in as is in the Admin group and has the Log on as a Service privilege set.
This application does not display this issue when running on Windows 2008 servers with IIS7. Has anyone any advice on where I could start investigating? It appears to be permissions related but the ID setup matches on both servers so is there something with IIS8 that I need to do?

Updated 2-Jun-22 15:01pm
Nathan Minier 2-Dec-15 12:43pm    
What account is the Service running under? You might need to change it to one that has permissions in IIS. You can also run the service as the appropriate AppPool, which would also give you a direct hook to the AppPool rather than looking it up.

Have a look at:
pmcm 4-Dec-15 4:26am    
I appreciate your reply. The Service runs under the Administrators group and I have tried adding it to the IIS_URSRS which is also in the Admin group.
pmcm 7-Dec-15 10:28am    
My application target service is deployed across a mixture of 2008 and 2012 servers, and the version of Microsoft.Web.Administration.dll is different on both. I tried building my application with the MWA v8.5 DLL but when I deploy the code to the 2008 server the Service doesn't do anything. due to the MWA.dll version being different on a 2008 server.

At present our applications Service is using the DirectoryEntry class to try and manipulate IIS. Should I still be able to use the properties from this class to work with IIS 8/Server 2012 and stop/start app pools for example? Are there any known issues of using the DirectoryEntry class to stop/start app pools in IIS8/Server 2012?


I believe there might be problems with IIS Authentication in DirectoryEntry object. Can you please add

DirectoryEntry.AuthenticationType = AuthenticationTypes.Encryption

and see if your issue is resolved.

Starting Windows Server 2003 SP1, all remote IIS communication needs to be encrypted, else you will end with WBEM_ACCESS_DENIED from WMI. If this AuthenticationTypes is not working, try others from the below web page and let me know how it goes.[^]

If the issue is still occurring, please try to restart the pool using WMI. Please refer my article[^]
Share this answer
I resolved this issue by rewriting the methods using the Microsoft.Web.Administration.dll see this thread on another forum I opened.
Dynamically load Microsoft.Web.Administration.dll | The ASP.NET Forums
Share this answer
For the permission error "Filename: redirection.config\r\nError: Cannot read configuration file due to insufficient permissions\r\n\r\n",
I added a new user called IIS IUSRS (put it in the name check area and check it to get the correct name) and then added all permissions which worked for me, however, i still get access is denied error.

Hope this helps!
Share this answer

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900