Categories: MDS

Master Data Services error – Cannot read configuration file due to insufficient permissions

In preparation of my upcoming webinar on the new features of Master Data Services 2016, I installed MDS on my system. Otherwise it would be quite hard to give demos, of course. The installation itself went quite smooth, no remarks there. I also enabled Internet Information Services (IIS) on my system, as well as a number of required prerequisites. Of course I forgot a few, but to be honest, the MDS Configuration Manager has become quite good at telling you which ones are missing.

Side note: Matt Smith has a PowerShell script in Github that will install all of the prerequisites for you!

Next I had to install and configure the MDS database, which was quite painless, as usual. But then comes the tricky part: adding the MDS website. First I created a new website using the MDS Configuration Manager, but that did not work. At all. For some reason, IIS searched for the MDS website at …\inetpub\wwwroot\MDS, instead of at the MDS installation folder in Program Files. So I deleted the website and assigned MDS to the default website. That also didn’t work, but this time I got a different error:

The error seemed quite clear: Cannot read configuration file due to insufficient permissions. Just to be sure, I added the user MDSAppPool – created in the MDS Configuration Manager for the MDS Application Pool – to the Administrators group on the machine. A brute-force solution, but since it’s on my own machine for demo purposes, I didn’t really care. Of course it didn’t work. Then I assigned full control permissions for the MDSAppPool user on the folder C:\Program Files\Microsoft SQL Server\130\Master Data Services. Didn’t work. Used the browser in Administrator modus. Also didn’t work. Checked IIS settings and discovered that Windows Authentication was not enabled. So I enable it, but the error persists. This is the point where it all starts to get frustrating. Adding MDSAppPool to the IIS_IUSRS group doesn’t work. Giving that group full control on the MDS directory either.

As a last attempt, I went directly to the web.config file and assigned MDSAppPool full control directly on that file, for which I had to pass numerous UAC verifications. But lo and behold, the MDS website worked!

Conclusion: if you encounter a permission issue on the web.config file, directly assign permissions to it for the MDS application pool user. Adding the user to the admin group does not work, for whatever reason.


------------------------------------------------
Do you like this blog post? You can thank me by buying me a beer 🙂
Koen Verbeeck

Koen Verbeeck is a Microsoft Business Intelligence consultant at AE, helping clients to get insight in their data. Koen has a comprehensive knowledge of the SQL Server BI stack, with a particular love for Integration Services. He's also a speaker at various conferences.

View Comments

    • Hi,

      Could you please show me the changes you did to the file to assign MDSAppPool full control? Thank you!

  • Hello Koen,
    I'm having the same issue. I have MDS 2014, not so long ago I changed the super user account through the usertable in the MDSDB database. Then I was still getting activity from this account. I noticed it was because the MDS application pool still had the old account. I changed it to the new, and I'm getting this same error.

    "Failed to start monitoring changes to 'C:\Program Files\Microsoft SQL Server\110\Master Data Services\WebApplication\admin\web.config' because access is denied."

    Can you please show me the changes you did to the file to assign MDSAppPool full control? Thank you!

    • You go to the file, go to permissions and give the account you configured for the MDSAppPool full permissions.

  • I misunderstood. I thought you changed some config inside the file. I changed the account running the MDS pool. I'm getting the error MDS can't access: “C:\Program Files\Microsoft SQL Server\110\Master Data Services\WebApplication\Admin\web.config" file. I managed to have the service account to own the admin folder. Now, I don't see this file at all. Any idea about this?

  • Thank you for this post. I ran into the same problem and it helped me solve it. I did not give full permissions though, it was enough to tick "Modify" in addition to the default "read" rights.

Share
Published by
Koen Verbeeck

Recent Posts

Free webinar – Tackling the Gaps and Islands Problem with T-SQL Window Functions

I'm hosting a free webinar at MSSQLTips.com at the 19th of December 2024, 6PM UTC.…

5 days ago

dataMinds Connect 2024 – Session Materials

The slides and scripts for my session "Tackling the Gaps & Islands Problem with T-SQL…

4 weeks ago

Connect to Power BI as a Guest User in another Tenant

Sometimes your Microsoft Entra ID account (formerly known as Azure Active Directory) is added as…

2 months ago

How to use a Script Activity in ADF as a Lookup

In Azure Data Factory (ADF, but also Synapse Pipelines and Fabric Pipelines), you have a…

4 months ago

Database Build Error – Incorrect syntax near DISTINCT

I wrote a piece of SQL that had some new T-SQL syntax in it: IS…

4 months ago

Speaking at dataMinds Connect 2024

I'm very excited to announce I've been selected as a speaker for dataMinds Connect 2024,…

5 months ago