authorization: application pool identity cannot access path


I have two very similar ASP Classic apps that both use Windows Authentication and run on the same development PC (Windows 7/IIS 7.5).

They've been around for years, and have 'travelled' with me as I've upgraded PCs through the years. One works fine, but the other doesn't - I can't say for sure whether it has ever worked on this particular PC, since it has been a while since I've had to work on it, but I think it has been working in the recent past.

My problem is that when I browse the site, I get the following error:

HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid
Cannot read configuration file due to insufficient permissions

The curious thing is that it claims to have insufficient privileges to access web.config - but there is no web.config!

In the application settings, if we test the connection, an error is reported:

Authorization: Application pool identity cannot access path

As far as I can tell, both applications are configured identically:

  • Both use the same Application Pool
  • The identity of the pool (a domain user) has identical permissions to the application folder (Read + Modify)
  • Both are configured for Windows Authentication

I'm stumped! Any ideas?

EDIT: Full error information:

**Detailed Error Information**
Module  IIS Web Core
Notification    BeginRequest
Handler Not yet determined
Error Code  0x80070005
Config Error    Cannot read configuration file due to insufficient permissions
Config File \\?\D:\Projects\Scope2\web.config
Requested URL   http://myserver:80/scope2/
Physical Path   D:\Projects\Scope2\
Logon Method    Not yet determined
Logon User  Not yet determined
asked on Server Fault May 31, 2011 by CJM • edited Jun 3, 2011 by CJM

1 Answer


Best guess:

The application pool seems to be having difficulty reading a web.config file in the directory or one of its subfolders. NTFS permissions probably prevent it from doing so.

The app pool starts up as the Application Pool Identity configured in App Pool Properties. This account needs to be able to enumerate all folders within the website, to read the web.config files that live there.

IIS 7.x stores its configuration in web.config files - if any subfolder bars access to the App Pool account, you're going to have difficulties.

I think the second part of the message indicates that the current App Pool identity doesn't have read access to the folder it's naming there.

If you grant - for example - Everyone: Read to that folder it's referring to, if the error comes back, it'll probably name a different folder.

You can allow IIS_IUSRS Read access to all your website folders, but that's a fairly broad solution; what you really need to do is allow your App Pool account Read access to the entire contents of the website (and subfolders). (and only Read (never Modify or Write) unless you're a very special case (assume you're not))

Alternatively, you can set the allowSubdirConfig property at the site level to prevent searching lower-level subfolders for web.config files:

answered on Server Fault Jun 2, 2011 by TristanK • edited Feb 23, 2012 by TristanK

User contributions licensed under CC BY-SA 3.0