Microsoft Web Deploy automatically adjusts your website's ACL permissions on every publish. By default it configures the anonymous user (IUSR) with read-only access. This frequently breaks applications that must write files at runtime, producing access-denied exceptions for uploads, logging, or dynamic configuration. The fix is to disable the SetAcl provider by setting IncludeSetAclProviderOnDestination=False. Apply the change via MSBuild command, project file edit, or a global modification to the publishing targets file.
Controlling this behavior lets you manage file-system permissions explicitly on the server instead of accepting Web Deploy's defaults. The setting travels with source control when added to the project file and prevents recurring permission resets after each deployment.
#Why Web Deploy Modifies ACLs
The Web Publishing pipeline includes a dedicated SetAcl provider that runs after files are copied. Its purpose is to ensure the application pool identity can read and execute the site contents. In practice the default rule also restricts the anonymous user to read-only, which is too narrow for many ASP.NET applications. When your code attempts to create directories, write logs, or save user files, a permissions error occurs. Disabling the provider leaves your manually configured ACLs untouched.
#Prerequisites
- ASP.NET web project open in Visual Studio
- Developer Command Prompt for Visual Studio available
- Administrative access on the development machine for global targets edit
- Current backup of .csproj, .vbproj, and any published site files
#Option 1: Disable with MSBuild Command
Run a one-time MSBuild command to override the property for the current publish without changing source files. Open the Visual Studio Developer Command Prompt, change to the project directory, and execute the command that matches your project language.
msbuild PROJECTNAME.csproj /p:IncludeSetAclProviderOnDestination=Falsemsbuild PROJECTNAME.vbproj /p:IncludeSetAclProviderOnDestination=False#Option 2: Edit the Project File
For a permanent per-project solution, open the .csproj or .vbproj file in a text editor. Locate or create a PropertyGroup element (preferably the first unconditional one) and insert the IncludeSetAclProviderOnDestination tag. The updated section should resemble the following XML.
<PropertyGroup>
<TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
<IncludeSetAclProviderOnDestination>False</IncludeSetAclProviderOnDestination>
</PropertyGroup>Save the file, reload the project in Visual Studio if necessary, then publish again. The setting now travels with the project in source control.
#Option 3: Global Change to Publishing Targets
To stop every ASP.NET project on the machine from using the SetAcl provider, edit the shared Microsoft.Web.Publishing.targets file. Open Notepad as Administrator, then follow these steps.
- Navigate to C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v10.0\Web (use C:\Program Files\... for 64-bit MSBuild)
- Open Microsoft.Web.Publishing.targets
- Find the IncludeSetAclProviderOnDestination element
- Change its default value from True to False
- Save the file
All future publishes from that development machine will skip ACL management. Revert the edit if you later need the default behavior on other projects.
#Fixing Permission Issues After Publishing
If you have already published without this setting and now face permission errors, contact our support department and ask to have your permissions reset. After the reset, republish using one of the methods above so the problem does not recur.
Test file-write features immediately after deployment. Keep the IncludeSetAclProviderOnDestination=False setting in place to maintain stable ACLs across future updates.
Comments
No comments yet