Permission problems with Application Pools

Topics: User Forum
Aug 27, 2008 at 4:12 PM

I've successfully installed and configured IIRF on a IIS 6.0 running in Windows Server 2003. The original purpose of the rewriting was redirecting the URL query string to an application cgi. The rule in the ini file is the following:

RewriteRule ^/ows/([^/?]+)\?(.*)$ /cgi-bin/cgiapp.exe?map=D:/path/in/the/server/maps/${QUERY_STRING} [L]
Everything works fine when the virtual directory "cgi-bin" is assigned to the "DefaultAppPool" application pool. But if I assign the virtual directory to a new application pool (ie "CGIAppPool"), the server returns a 403 Access Denied error. Switching to DefaultAppPool everything works fine again.

I don't know if there is a permissions problem, because both application pools run over the same identity and configured identically.

Any ideas?

Thank you very much in advance

Aug 29, 2008 at 6:40 AM
Hmm, Does IIRF work properly?
Does the rewriterule work as you expect?

What if you were to invoke the cgi-bin query directly from the browser - sort of cut-out the rewrite.  Do you get the same 403?
Aug 29, 2008 at 9:51 AM
IIRF works perfectly fine but only when the virtual directory "cgi-bin" is assigned to the "DefaultAppPool". If I change the application pool, the server returns the 403 error.

If I bypass the rewriting when the virtual directory "cgi-bin" is assigned to the "CGIAppPool", I get the correct output (a PNG image):

  • DefaultAppPool = ok
  • DefaultAppPool + IIRF = ok
  • CGIAppPool = ok
  • CGIAppPool + IIRF = 403
Sep 3, 2008 at 3:20 PM
I have simplified the scenario and found that even simple a rule like
RewriteRule ^/foo$ /test/hello.html [L]
gives an 403 error if I change the Virtual Directory "test" from the DefaultAppPool to another one.

So any rewrite rule will return a 403 error if the result points to a virtual directory (with permission Execute such ISAPI applications or CGI) which is not assigned to the DefaultAppPool.

Any ideas?
Sep 3, 2008 at 8:48 PM
Let me have a think on this.
Sep 3, 2008 at 9:30 PM
Ok, after reading up on this, I learned that the 403 is returned as a result of a security constraint within IIS.

It is not possible for a module or filter within IIS to change the URL to a URL that runs in a different application pool. 
It is possible to REDIRECT, but it is not possible to REWRITE URLs in this way.


Sep 4, 2008 at 1:02 PM
That's a bit frustating

Anyway thanks for your time and congratulations for your great app
Sep 10, 2008 at 1:31 AM
Thanks;  sorry it didn't work out the way you needed it to.
Feb 28, 2013 at 8:48 PM
sorry to open this very old post. does this still apply. Could you provide where you read it?