Reputation: 132
We have an active directory domain (let's call it foodomain
) and a domain user account (foodomain\fooAppPoolUser
) used for the IIS application pool identity.
We want to run the app pool under this user account and not under Network Service
or the new AppPoolIdentity
as we have to access SQL server and have multiple applications on IIS (with own app pools) accessing different databases.
The problem is that I can't find a clear HOW-TO explaining, which user rights have to be set for this user account and how IIS has to be setup so that this will work.
First I got errors (unfortunately I can't remember which ones), then I added fooAppPoolUser
to the local admin group (Administrators
, I know, was only to test), then it worked. Now I removed the user again, restarted IIS and it still works.
So I'm confused a bit and would like to know, how the configuration/setup has to be to have it working.
Somwhere I read, that the account needs to have the "Impersonate a client after authentication" user right. That's the reason I added the account to the Admin group (the user rights assignment is blocked via group policy, but this can for sure be changed if really needed.
I hope I was clear enough what the question is and hope somebody has an answer.
Upvotes: 7
Views: 33516
Reputation: 41
The reason why you application worked AFTER removing Administrator rights is that your application was compiled to the Framework temp folder using the administrator rights - Your application worked after removing the administrator rights because the application was compiled. If you update your application and it requires recompilation, the app pool account will need trusts again.
First I got errors (unfortunately I can't remember which ones), then I added fooAppPoolUser to the local admin group (Administrators, I know, was only to test), then it worked. Now I removed the user again, restarted IIS and it still works.
Upvotes: 4
Reputation: 41807
It's frustrating that this information is so hard to find, since some security admins seem to enjoy the cruel and unusual punishment of changing default policy settings to thwart installing apps within IIS.
Here's what I believe you should do to enable an account to work as an ApplicationPool identity:
aspnet_regiis -ga DOMAIN\USER
to add permissions to access the IIS Metabase. (Exactly what that means, who knows?) aspnet_regiis referenceIIS_IUSRS
group. This may be done automatically depending on the IIS configuration setting processmodel.manualGroupMembership but easiest to add it yourself. Negotiate
) then depending on the URL and if kernel-mode auth is on you might need to set up an SPN. I suggest switching to NTLM if possible. Otherwise, see articles below about SPNs and find a friendly domain admin to add them for you. Fun reading:
Upvotes: 9
Reputation: 954
I found the following link answered a similar question I had: http://www.iis.net/learn/manage/configuring-security/application-pool-identities
Basically, ApplicationPoolIdentity is a virtual user account that still behaves like NETWORK SERVICE, but without some of the down-sides; each app pool has it's very own ApplicationPoolIdenity account created with it.
More detailed information can also be found that is also specific to IIS 7.5 Application Pool Identities.
Upvotes: -1