Windows Authentication with Network Service/ ApplicationPoolIdentity when is user Identity used?

Question

Referencing below link:

https://learn.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities

I am trying to get a better understanding of when the Network Service Identity is used vs the user Identity on the server to access files. Or if the user Identity is even used at all. It was my original understanding that with Windows Authentication the application will use the authenticated user's permissions to gain access to the application directory as well as other directories the user has permission to.

While setting up my application in IIS 7.0, I see that when the application pool identity is set to use the ApplicationPoolIdentity it relies on permissions granted to this virtual account while being accessed.

When would the application rely on the application pool/network Identity vs the user's Identity (if at all).

I am using ASP.NET MVC4

Answer 1

For asp.net,default identity IIS will use be the application pool identity.It comes from this Application Pool identity you have set here

You can override this setting with "Enabling ASP.NET impersonation"

Edit: - More detailed version.

Your asp.net code runs under Application Pool's identity by default but the static files(html,js,css etc) will be using the user credentials coming in the Authentication setting.

• If you are using Anonymous Authentication,asp.net code will run under Application Pool Identity and static files will use IUSR setting coming from here

• If you are using Windows Authentication,then asp.net will still use Application Pool identity and static files will use the incoming login user's crednetails.

• At anytime you can change the Asp.net impersonation to use the Incoming user credential(Anonymous or Windows or basic authentication).

Basically asp.net will be using the running process (w3wp.exe identity) which is application pool identity.

Hope it clears!