IIS AppPool\DefaultAppPool: No mapping between account names and security IDs was done
search cancel

IIS AppPool\DefaultAppPool: No mapping between account names and security IDs was done

book

Article ID: 251501

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

We have installed and configured a Siteminder Webagent. We can see the following error in the "CA_SiteMinder_Web_Agent_Configuration_Install_<MM>_<DD>_<YYYY>_<hh>_<mm>_<ss>.log" file:

 

Environment

Release : 12.8.x

Component : Web Agent

Cause

This is error occurred because the "DefaultAppPool" was removed from the IIS instance.  Siteminder is hardcoded to run 'icacls' against AgentId.dat file and grant Full Control access to the 'DefaultAppPool'.  The Siteminder Config. Wizard will do the same granting permissions to the following files:

NOTE: In this case, there is an Application Pool name "Transpolar" which is configured to use "ApplicationPoolIdentity".

=====================
C:\Program Files\CA\webagent\win64\config\SmHost.conf" /grant "IIS AppPool\Transpolar":(Modify)
C:\Program Files\CA\webagent\win64\log" /grant "IIS AppPool\Transpolar":(OI)(CI)(Modify)

C:\Program Files\CA\webagent\win64\bin\IIS\WebAgent.conf" /grant "IIS AppPool\Transpolar":(Read & Execute)

C:\Program Files\CA\webagent\win64\config\SmHost.conf" /grant "IIS AppPool\Transpolar":(Modify)

C:\Program Files\CA\webagent\win32\log" /grant "IIS AppPool\Transpolar":(OI)(CI)(Modify)
C:\Program Files\CA\webagent\win32\bin\IIS\WebAgent.conf" /grant "IIS AppPool\Transpolar":(Read & Execute)

C:\Program Files\CA\webagent\win64\bin\IIS\AgentId.dat" /grant "IIS AppPool\DefaultAppPool":F (Full Control)
C:\Program Files\CA\webagent\win32\bin\IIS\AgentId.dat" /grant "IIS AppPool\DefaultAppPool":F (Full Control)
=====================

Siteminder automatically attempts to grant the 'DefaultAppPool' Full Control of the 'AgentID.dat' file in both the 'win32' and win64' directories.  In this case, since the DefaultAppPool was removed, the process failed when 'icacls' was run.  

Resolution

This message can be ignored.

You could ensure that all App Pool users are automatically granted the appropriate permission to the Siteminder Web Agent by doing the following.

1) Logon to the Web Server/Web Agent host.

2) Browse to the web agent installation directory:

Default: C:\Program files\CA\webagent

3) 'right-click' the "webagent" directory and select PROPERTIES

4) Select the 'Security' tab

5) 'click' the EDIT button

6) 'click' the ADD button

7) Change the 'Location' to the Local Server name

8) Type "IIS_IUSRS" and select 'Check Name'.  the name should populate as "<Server_Name>\IIS_IUSRS"

9) 'click' OK

10)  Grant 'Modify' permissions

11) Save the changes

12) Stop and restart IIS

The 'IIS_IUSRS' group is a built-in group which contains all the identities of the accounts assigned to Application Pools.  Newly created application pools and newly assigned App Pool accounts will automatically be granted the appropriate permissions and won't require a re-registration.