IIS APPPOOL : Some or all identity references could not be translated…

System.Security.Principal.SecurityIdentifier.Translate : “Some or all identity references could not be translated”

icalcs : “No mapping between account names and security IDs was done”

So I was trying to add a web application via powershell and got stuck on the first message when trying to grant the web pool folder access, I tried various items, and then tried icalcs from the command line and got the second message. Turns out you need to force IIS to commit the changes to create the web pool! The real issue is it didn’t exist yet.

# add a web application

# reset for clean slate
Reset-IISServerManager -Confirm:$false


Start-IISCommitDelay

$siteName = "Default Web Site"
$appName = "MyBlog"
$appPoolName = "MyBlogAppPool"
$appFolder = "C:\inetpub\wwwroot\MyBlogApp"

# add the app pool
$server = Get-IISServerManager
$appPool = $server.ApplicationPools.Add($appPoolName)
# list props
# $appPool | select-object *
$appPool.ManagedRuntimeVersion = "v4.0"

# IMPORTANT that this is commited, otherwise ACL below will fail 
# none of the error messages will explain the app pool doesn't exist

Stop-IISCommitDelay

# verify it exists

Get-ChildItem -Path IIS:\AppPools

# add the folder

New-Item -ItemType "directory" $appFolder

# set permissions on folder

$server = Get-IISServerManager
$appPoolSid = $server.ApplicationPools["$appPoolName"].Attributes['applicationPoolSid']
$identifier = New-Object System.Security.Principal.SecurityIdentifier $appPoolSid.Value
$user = $identifier.Translate([System.Security.Principal.NTAccount])

$acl = Get-Acl $appFolder
#$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($user,"FullControl", "Allow")
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($user,"FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.SetAccessRule($rule)
Set-Acl $appFolder $Acl  

# create the web app
Reset-IISServerManager -Confirm:$false
Start-IISCommitDelay

New-WebApplication -Name $appName -Site $siteName -PhysicalPath $appFolder -ApplicationPool $appPoolName

Stop-IISCommitDelay
#
#
#

References:
https://serverfault.com/questions/303097/how-can-i-add-acl-permissions-for-iis-apppool-accounts-via-powershell

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

OR

LOGIN OR REGISTER

Registered users with one approved comment can comment without moderation