Categories: MDS

Master Data Services error – Cannot read configuration file due to insufficient permissions

In preparation of my upcoming webinar on the new features of Master Data Services 2016, I installed MDS on my system. Otherwise it would be quite hard to give demos, of course. The installation itself went quite smooth, no remarks there. I also enabled Internet Information Services (IIS) on my system, as well as a number of required prerequisites. Of course I forgot a few, but to be honest, the MDS Configuration Manager has become quite good at telling you which ones are missing.

Side note: Matt Smith has a PowerShell script in Github that will install all of the prerequisites for you!

Next I had to install and configure the MDS database, which was quite painless, as usual. But then comes the tricky part: adding the MDS website. First I created a new website using the MDS Configuration Manager, but that did not work. At all. For some reason, IIS searched for the MDS website at …\inetpub\wwwroot\MDS, instead of at the MDS installation folder in Program Files. So I deleted the website and assigned MDS to the default website. That also didn’t work, but this time I got a different error:

The error seemed quite clear: Cannot read configuration file due to insufficient permissions. Just to be sure, I added the user MDSAppPool – created in the MDS Configuration Manager for the MDS Application Pool – to the Administrators group on the machine. A brute-force solution, but since it’s on my own machine for demo purposes, I didn’t really care. Of course it didn’t work. Then I assigned full control permissions for the MDSAppPool user on the folder C:\Program Files\Microsoft SQL Server\130\Master Data Services. Didn’t work. Used the browser in Administrator modus. Also didn’t work. Checked IIS settings and discovered that Windows Authentication was not enabled. So I enable it, but the error persists. This is the point where it all starts to get frustrating. Adding MDSAppPool to the IIS_IUSRS group doesn’t work. Giving that group full control on the MDS directory either.

As a last attempt, I went directly to the web.config file and assigned MDSAppPool full control directly on that file, for which I had to pass numerous UAC verifications. But lo and behold, the MDS website worked!

Conclusion: if you encounter a permission issue on the web.config file, directly assign permissions to it for the MDS application pool user. Adding the user to the admin group does not work, for whatever reason.


------------------------------------------------
Do you like this blog post? You can thank me by buying me a beer 🙂
Koen Verbeeck

Koen Verbeeck is a Microsoft Business Intelligence consultant at AE, helping clients to get insight in their data. Koen has a comprehensive knowledge of the SQL Server BI stack, with a particular love for Integration Services. He's also a speaker at various conferences.

View Comments

    • Hi,

      Could you please show me the changes you did to the file to assign MDSAppPool full control? Thank you!

  • Hello Koen,
    I'm having the same issue. I have MDS 2014, not so long ago I changed the super user account through the usertable in the MDSDB database. Then I was still getting activity from this account. I noticed it was because the MDS application pool still had the old account. I changed it to the new, and I'm getting this same error.

    "Failed to start monitoring changes to 'C:\Program Files\Microsoft SQL Server\110\Master Data Services\WebApplication\admin\web.config' because access is denied."

    Can you please show me the changes you did to the file to assign MDSAppPool full control? Thank you!

    • You go to the file, go to permissions and give the account you configured for the MDSAppPool full permissions.

  • I misunderstood. I thought you changed some config inside the file. I changed the account running the MDS pool. I'm getting the error MDS can't access: “C:\Program Files\Microsoft SQL Server\110\Master Data Services\WebApplication\Admin\web.config" file. I managed to have the service account to own the admin folder. Now, I don't see this file at all. Any idea about this?

  • Thank you for this post. I ran into the same problem and it helped me solve it. I did not give full permissions though, it was enough to tick "Modify" in addition to the default "read" rights.

Share
Published by
Koen Verbeeck

Recent Posts

Book Review – Agile Data Warehouse Design

I recently read the book Agile Data Warehouse Design - Collaborative Dimensional Modeling, from Whiteboard…

5 days ago

Cloudbrew 2024 – Slides

You can find the slides for the session Building the €100 data warehouse with the…

1 week ago

Book Review – Microsoft Power BI Performance Best Practices

I was asked to do a review of the book Microsoft Power BI Performance Best…

1 month ago

Create a Numbers Table in Power Query

This is a quick blog post, mainly so I have the code available if I…

1 month ago

Microsoft finally adds Tenant Switcher for Fabric / Power BI

Praise whatever deity you believe in, because it's finally here, a tenant switcher for Microsoft…

1 month ago

Book Review – Humanizing Data Strategy by Tiankai Feng

This book was making its rounds on social media, and the concept seems interesting enough…

1 month ago