[wix-users] Using IIS APPPOOL users in Permissions

Douglas, Keith (STATCAN) keith.douglas at canada.ca
Thu Mar 17 08:06:31 PDT 2016

I'm trying to figure out how the sequencing between Util:PermissionEx and the WebAppPool creation I am also doing works. I see that the latter actually creates the "pseudouser" IIS AppPool\i-eq I want to use for my Util:PermissionsEx (amongst other things). What can I do to guarantee the user exists when the Util:PermissionsEx runs? I have tried using a component that appears to be later in the list for the (one) feature of my package:

            <Component Id="FA2047985596">
              <Iis:WebSite Id="WebSite5d5cc9b1380b4ba4980105e6b6f5daf0" Description="Default" Directory="F1783711615">
                <Iis:WebAddress Id="WebAddressecb59b2ff71e4a65af5b6f533517a2ff" Port="80" Secure="no" />
                <Iis:WebVirtualDir Id="WebVirtualDire4241ed8f4894600a8c467a4f39d9154" Alias="i-eq" Directory="F1576799264">
                  <Iis:WebApplication Id="WebApplicationbcc1610fd58e45008c4280d5810870e3" Name="i-eq" WebAppPool="WebAppPool0c8f35d1dd994d15bd31abb69042159d" />
                  <Iis:WebDirProperties Id="WebDirProperties5043b0fdd4ff488e8c04ba28b4ad979c" />
              <Iis:WebAppPool Id="WebAppPool0c8f35d1dd994d15bd31abb69042159d" ManagedPipelineMode="Integrated" Name="i-eq" RecycleMinutes="0" />
              <File Id="FA2047985596" Source="C:\InstallerBuilder\ICOS\EQ\Files\wwwroot\i-eq\Global.asax" KeyPath="yes" />

The above is the Component which I take creates the pseudouser.
I tried putting the PermissionsEx after the Iis:WebAppPool in this component and also in one that appears later in the Directory structure with all the Components. Both cannot find the user when the permission are set by:

            <Component Id="F1510465744">
              <File Id="F1510465744" Source="C:\InstallerBuilder\ICOS\EQ\Files\wwwroot\i-eq\key_Interviewer.pfx" KeyPath="yes" />
              <CreateFolder Directory="F1576799264">
                <Util:PermissionEx GenericAll="yes" User="IIS APPPOOL\i-eq" xmlns:Util="http://schemas.microsoft.com/wix/UtilExtension" />

Later I have:

(other ComponentRefs)

      <ComponentRef Id="FA2047985596" />
      <ComponentRef Id="F853134304" />
      <ComponentRef Id="F454591189" />
      <ComponentRef Id="FA984235795" />
      <ComponentRef Id="F184433633" />
      <ComponentRef Id="FA492969498" />
      <ComponentRef Id="FA1553288547" />
      <ComponentRef Id="F1874513077" />
      <ComponentRef Id="FA1904274263" />
      <ComponentRef Id="F1928470240" />
      <ComponentRef Id="F1814109131" />
      <ComponentRef Id="F21413760" />
      <ComponentRef Id="F2032288945" />
      <ComponentRef Id="F1510465744" />

So this does look like that ordering is correct; in the log I see:

MSI (s) (24:B4) [10:26:21:356]: Component: FA2047985596; Installed: Absent;   Request: Local;   Action: Local
MSI (s) (24:B4) [10:26:21:356]: Component: F1510465744; Installed: Absent;   Request: Local;   Action: Local

So again the ordering (though different) looks correct. (If I've got the right place in the log, anyway.)

The error is:

MSI (s) (24:D8) [10:26:22:950]: Hello, I'm your 32bit Elevated Non-remapped custom action server.
ExecSecureObjects:  Error 0x80070534: failed to get sid for account: IIS APPPOOL\i-eq
CustomAction ExecSecureObjects returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

What am I missing?

Keith Douglas

Programmer Analyst, Collection Systems Division
Statistics Canada / Government of Canada
Keith.Douglas at canada.ca<mailto:Keith.Douglas at canada.ca> / Tel : 613-854-5589

Programmeur analyste, Division des systèmes de collecte
Statistique Canada / Gouvernenment du Canada
Keith.Douglas at canada.ca<mailto:Keith.Douglas at canada.ca> / Tél :613-854-5589

More information about the wix-users mailing list