HomePowerBuilderAppeon Documentation Center

Access to powerserver\licoffdata.bin is denied

On startup of PowerServer Web APIs, the event log records the following warning: 

Access to the path "C:\inetput\wwwroot\salesdemo_cloud_API\powerserver\licoffdata.bin" is denied.

Cause:

Please grant read and write rights to the root directory where PowerServer Web APIs is hosted, for example, when deploying to IIS, read and write rights are required by the "[solutionname]_API" sub-folder; this is to ensure when PowerServer is unable to connect with the license server (for example, due to a network problem), PowerServer can still run for a short period of time.

Solution:

Grant Internet Guest Account and IIS Process Account proper rights to manipulate the Web root folder. Below are the detailed steps:

  1. Right-click on the C:\Inetpub\wwwroot folder. Select the Properties item and select the Security tab page;

  2. Add IIS_IUSRS (or NETWORK SERVICE) if it is not listed in the box "Group or usernames";

  3. Grant Full Control permission to the IIS_IUSRS (or NETWORK SERVICE).

  4. Restart the IIS server (iisreset.exe).

  5. If the issue persists, please try granting "everyone" user full control permission on the API folder, for example, C:\inetput\wwwroot\salesdemo_cloud_API.

Best Practice: Follow the Principle of Least Privilege When Granting Folder Permissions

Avoid granting permissions to the entire IIS_IUSRS group, as it applies to all IIS websites and may introduce unnecessary security risks. Instead, grant file system permissions only to the virtual account associated with the specific Application Pool that hosts your Web API. This approach is more secure and follows Microsoft's recommended guidelines.

Recommended Approach (Using ApplicationPoolIdentity):

  1. Identify the Application Pool Name Open IIS Manager.

    1. In the left-hand tree view, expand Sites and select your target site (e.g., MyAPI).

    2. In the right-hand pane, click Basic Settings ...

    3. Note the Application pool name (e.g., MyAPI).

  2. Determine the Virtual Account Name

    If your application pool uses the default ApplicationPoolIdentity, Windows automatically creates a virtual account named:

    IIS APPPOOL \<AppPoolName>

    For example: IIS APPPOOL \MyAPI

  3. Grant NTFS Modify Permissions

    1. In File Explorer, right-click your Web API folder (e.g., C: \inetpub\wwwroot\MyAPI) and choose Properties -> Security -> Edit ... -> Add ...

    2. Click Locations ... and select your local computer.

    3. In Enter the object names to select, type:

      IIS APPPOOL \<YourAppPoolName>

      For example: IIS APPPOOL\MyAPI, then click Check Names and OK.

    4. Select the newly added account and check the box for Modify permission.

    5. Click OK to apply the changes.

  4. Apply Changes and Verify

    1. In IIS Manager, right-click your Application Pool and choose Recycle.

    2. Start the Web API application and ensure it can write logs or temporary files (e.g., licoffdata.bin) without any Access Denied errors.

Why This Matters

This method restricts write permissions to only the process identity of the specific site, rather than broadly applying access to all IIS-managed processes. It aligns with Microsoft's official security recommendations:

Application Pool Identities - Microsoft Learn

Ensure Security Isolation for Web Sites - Microsoft Learn

Prev  Up  Next
Failed to login the license server  Home  Cannot access License.json