Keywords: IIS | 500.19 Error | Permission Configuration | ApplicationPoolIdentity | web.config
Abstract: This article provides an in-depth analysis of HTTP error 500.19 (error code 0x80070005) in IIS servers, focusing on application pool identity permission configuration issues. Through systematic solutions and code examples, it helps developers understand the IIS permission model, master correct configuration file access permission settings, and avoid common deployment pitfalls. The article combines practical cases to provide a complete technical path from problem diagnosis to complete resolution.
Error Background and Problem Analysis
HTTP error 500.19 is a common configuration error in IIS servers, particularly error code 0x80070005 indicates the system cannot read configuration files. From a technical perspective, the core of this error lies in insufficient process identity permissions to access the web.config file. In IIS 7.0 and later versions, ApplicationPoolIdentity is the key factor controlling access permissions.
In-depth Analysis of Permission Model
The IIS permission system is based on the Windows security model, with application pools running under specific identities. By default, IIS uses ApplicationPoolIdentity, which is a virtual account with limited permissions. When this identity cannot read the web.config file, it triggers the 0x80070005 error. It's important to clarify that the IUSR account is used for anonymous access and should not be directly used for configuration file access.
Solution Implementation Steps
First, determine the running identity of the application pool. This can be viewed through IIS Manager by checking the application pool's advanced settings and finding the "Identity" property. If it's ApplicationPoolIdentity, you need to grant the IIS_IUSRS group read permissions to the website directory. Specific operations include: right-clicking the website directory in Windows Explorer, selecting "Properties," entering the "Security" tab, adding the IIS_IUSRS group and granting read permissions.
Code Examples and Configuration Verification
The following PowerShell script automates the permission setting process:
# Get website directory path
$websitePath = "C:\inetpub\wwwroot\mywebsite"
# Get IIS_IUSRS group
$iisGroup = [System.Security.Principal.NTAccount]"IIS_IUSRS"
# Set directory permissions
$acl = Get-Acl $websitePath
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($iisGroup, "Read", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
Set-Acl $websitePath $acl
# Verify permission settings
Get-Acl $websitePath | Format-ListCommon Misconceptions and Best Practices
Many developers mistakenly believe that permissions need to be configured for the IUSR account, which is incorrect. IUSR is used for handling anonymous web requests, while configuration file access should be handled by the application pool identity. Best practices include: deploying websites to standard locations (such as inetpubwwwroot), avoiding user document directories; regularly auditing permission settings; using the principle of least privilege.
Advanced Troubleshooting
If basic permission settings don't resolve the issue, deeper checks may be needed: verify if the application pool identity has been customized; check if folder permission inheritance is broken; use Process Monitor tool to track specific reasons for file access failures. For complex deployment environments, enabling failed request tracing is recommended to obtain detailed error information.
Preventive Measures and Deployment Recommendations
To avoid such errors, thorough permission planning should be conducted before deployment. It's recommended to establish a standard deployment checklist including permission verification, path checking, and configuration testing. For team development environments, unified deployment specifications should be established to ensure all members follow the same security practices.