Windows 2003 iis application pool identity

If a developer adds Membership functionality to his web application ASP. NET will automatically create a database and the necessary tables by using the default connection string in machine. The IIS 7. For this reason you might run into this issue if you are also developing with Visual Studio. Fortunately the fix for this problem is pretty straightforward. If you want to do this via command-line execute the following command in an elevated command prompt:.

The biggest side effect with loading the user profile can be the temp directory. Everybody can write to this directory. To this directory only the DefaultAppPool and Administrators would have write access to.

So why is this a problem? Unfortunately the Windows operating system supports a feature called "impersonation". Impersonation allows a piece of code to run under an identity different from the identity the process is running as.

Some Web Application Frameworks take advantage of this feature. Classic ASP for example executes all code as impersonated. Worker process running as Network Service access the network as the machine account. Machine accounts are generated when a machine is joined to a domain.

They look like this:. The nice thing about this is that network resources like file shares or SQL Server databases can be ACLed to allow this machine account access. The good news is that application pool identities also use the machine account to access network resources.

No changes are required. The biggest compatibility issue with application pool identities is probably earlier guidance documents which explicitly recommend that you ACL resources for Network Service, that is, the default identity of the DefaultAppPool in IIS 6. IIS doesn't load the Windows user profile, but certain applications might take advantage of it anyway to store temporary data.

SQL Express is an example of an application that does this. However, a user profile has to be created to store temporary data in either the profile directory or in the registry hive. The user profile for the Network Service account was created by the system and was always available. However, with the switch to unique Application Pool identities, no user profile is created by the system. Only the standard application pools DefaultAppPool and Classic.

NET AppPool have user profiles on disk. No user profile is created if the Administrator creates a new application pool. However, if you want, you can configure IIS application pools to load the user profile by setting the LoadUserProfile attribute to "true". Application pool identities are a powerful new isolation feature introduced for Windows Server , Windows Vista, and later versions of Windows.

It will make running IIS applications even more secure and reliable. Skip to content. Star Permalink main. For every application pool you create, the Identity property of the new application pool is set to ApplicationPoolIdentity by default. The IIS Admin Process WAS will create a virtual account with the name of the new application pool and run the application pool's worker processes under this account by default.

To use this virtual account when running IIS 7. Here is how:. Open the Application Pools node underneath the machine node. Select the application pool you want to change to run under an automatically generated application pool identity.

Select the Identity list item and click the ellipsis the button with the three dots. Select the Built-in account button, and then select the identity type ApplicationPoolIdentity from the combo box. To do the same step by using the command-line, you can call the appcmd command-line tool the following way:. Whenever a new application pool is created, the IIS management process creates a security identifier SID that represents the name of the application pool itself.

From this point on, resources can be secured by using this identity. However, the identity is not a real user account; it will not show up as a user in the Windows User Management Console. By doing this, the file or directory you selected will now also allow the DefaultAppPool identity access. The following example gives full access to the DefaultAppPool identity.

On Windows 7 and Windows Server R2, and later versions of Windows, the default is to run application pools as the application pool identity. To make this happen, a new identity type with the name "AppPoolIdentity" was introduced. With every other identity type, the security identifier will only be injected into the access token of the process. If the identifier is injected, content can still be ACLed for the ApplicationPoolIdentity, but the owner of the token is probably not unique.

Using the Network Service account in a domain environment has a great benefit. Worker process running as Network Service access the network as the machine account.