We have installed and configured a Siteminder Webagent. We can see the following error in the "CA_SiteMinder_Web_Agent_Configuration_Install_<MM>_<DD>_<YYYY>_<hh>_<mm>_<ss>.log" file:
Release : 12.8.x
Component : Web Agent
This is error occurred because the "DefaultAppPool" was removed from the IIS instance. Siteminder is hardcoded to run 'icacls' against AgentId.dat file and grant Full Control access to the 'DefaultAppPool'. The Siteminder Config. Wizard will do the same granting permissions to the following files:
NOTE: In this case, there is an Application Pool name "Transpolar" which is configured to use "ApplicationPoolIdentity".
=====================
C:\Program Files\CA\webagent\win64\config\SmHost.conf" /grant "IIS AppPool\Transpolar":(Modify)
C:\Program Files\CA\webagent\win64\log" /grant "IIS AppPool\Transpolar":(OI)(CI)(Modify)
C:\Program Files\CA\webagent\win64\bin\IIS\WebAgent.conf" /grant "IIS AppPool\Transpolar":(Read & Execute)
C:\Program Files\CA\webagent\win64\config\SmHost.conf" /grant "IIS AppPool\Transpolar":(Modify)
C:\Program Files\CA\webagent\win32\log" /grant "IIS AppPool\Transpolar":(OI)(CI)(Modify)
C:\Program Files\CA\webagent\win32\bin\IIS\WebAgent.conf" /grant "IIS AppPool\Transpolar":(Read & Execute)
C:\Program Files\CA\webagent\win64\bin\IIS\AgentId.dat" /grant "IIS AppPool\DefaultAppPool":F (Full Control)
C:\Program Files\CA\webagent\win32\bin\IIS\AgentId.dat" /grant "IIS AppPool\DefaultAppPool":F (Full Control)
=====================
Siteminder automatically attempts to grant the 'DefaultAppPool' Full Control of the 'AgentID.dat' file in both the 'win32' and win64' directories. In this case, since the DefaultAppPool was removed, the process failed when 'icacls' was run.
This message can be ignored.
You could ensure that all App Pool users are automatically granted the appropriate permission to the Siteminder Web Agent by doing the following.
1) Logon to the Web Server/Web Agent host.
2) Browse to the web agent installation directory:
Default: C:\Program files\CA\webagent
3) 'right-click' the "webagent" directory and select PROPERTIES
4) Select the 'Security' tab
5) 'click' the EDIT button
6) 'click' the ADD button
7) Change the 'Location' to the Local Server name
8) Type "IIS_IUSRS" and select 'Check Name'. the name should populate as "<Server_Name>\IIS_IUSRS"
9) 'click' OK
10) Grant 'Modify' permissions
11) Save the changes
12) Stop and restart IIS
The 'IIS_IUSRS' group is a built-in group which contains all the identities of the accounts assigned to Application Pools. Newly created application pools and newly assigned App Pool accounts will automatically be granted the appropriate permissions and won't require a re-registration.