Fluent Bytes

"The only source of knowledge is experience" - Albert Einstein-

How to fix “Error: This access control list is not in canonical form and therefore cannot be modified. Error count: 1”

In my previous post about Deploying ASP.NET 4.5 to Docker on Windows I forgot to mention that you might run into an issue when running webdeploy.

Julian Perrott, commented on my post and asked if this is an issue. I think it is an issue and that the install does not complete correctly. But there is an easy fix for this as well. What you can do is add a small PowerShell script to your Docker image and run that after the first attempt to deploy the website. Then the next step is to run the script to fix the ACL’s and then again run web deploy. I have not yet tried this on the latest Windows server 2016 bits, but on the Technical preview 5 this worked like a charm.

You need the following script to fix the ACL’s:

This script doe nothing more then getting the ACL on the path and then re-apply it. this will make windows fix the ACL and make them in canonical form again.

You can add this to your dockerfile and make it part of your standard install of a website in your release pipeline.

So this does nothing more then adding the little PowerShell script to the container and then using that in the step after deploying your website

Hope this helps!

CTO at Xpirit, Microsoft Regional Director, Visual studio ALM MVP, Speaker, Pluralsight Author and IT Architect Consultant

8 Comments

  1. I have Windows Server 2016 machine (OS Build number 14393.693) machine and this is not working there.
    Tell me where to make the fixAcls.ps1 on my local machine, as it is not mentioned,
    and trying various permutations-combinations is doing nothing good but giving errors.

  2. can you try it on windows server it doesn’t work for me

  3. Brilliant! This worked! This is the only answer that didn’t say that the fix is to simply open the security tab of the folder. Also, how pathetic, that this error even exists, much less that the fix is the capture the folder’s own ACL, then apply it’s own ACL to itself.

  4. Thanks this worked for me on WindowsServerCore 2016 container.
    Here is the docker run command …

    #Set ACL for site directories network service
    RUN $StartingDir = ‘C:\inetpub\wwwroot\Vimago’;

    Write-Host 'Fixing ACL for:C:\inetpub\wwwroot\Vimago\ScalableWebSite';
    $path = ‘C:\inetpub\wwwroot\Vimago\ScalableWebSite’;
    $aclfix = Get-Acl $path;

    Set-Acl $path $aclfix;

    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule('NetworkService', 'FullControl', 'Allow');
    foreach ($file in $(Get-ChildItem $StartingDir -recurse | ?{ $_.PSIsContainer })) {
    Write-Host 'Setting ACL for: '$file.FullName;

    $Acl=get-acl $file.FullName;
    #Fix connonical form in ACL
    $Acl.SetAccessRule($rule);

    set-acl $File.Fullname $Acl;};

    I only applied this to the parent directory and it all worked.

    • Thanks Shaun: your version of script it worked on Microsoft Windows Server 2016 Datacenter/10.0.14393.0 – Microsoft/iis Docker image with WebDeploy 3.6.
      Anyway it’s still annoying that I have to deploy the website twice and that this error still exists in 2018.

  5. Fantastic yet simple solution! It applies not only for dockerized apps but for any release pipeline configured in TFS for example. I’ve put this script prior to the final step of the release definition and now we don’t get failed releases for this error anymore.

Leave a Reply

Your email address will not be published.

*

© 2018 Fluent Bytes

Theme by Anders NorenUp ↑