WebAD produces web applications to help you manage your Active Directory environment and we’ve used ASP.NET since version 1.0 of the .NET Framework. In that time we’ve seen lots of great innovations in both the IIS hosting platform and the ASP.NET run-time environment. Sometimes these innovations come at a cost of breaking your current application, though, and I wanted to share a couple of insights we’ve garnered when working with Application Pool Identities in IIS 7 and later for Windows Server 2008 SP2 and 2008 R2.
Application Pool Identities are a great addition to IIS and take advantage of the Virtual Account feature introduced in Windows Server 2008 SP2/R2. We always try to follow the principle of least privilege in our application deployment and using the default app pool identity in IIS is a great way to run ASP.NET applications in IIS 7 and 7.5 with least privilege.
NTFS Permissions with the Application Pool Identity
A few quirks arise when working with app pool identities in IIS, though. Since these identities are virtual accounts they don’t really behave the same way all the time as regular service accounts. For example, how do you secure file system resources with NTFS permissions using either the Windows GUI or a tool like ICACLS.exe? A couple of hints should help make it less of a burden to configure the account.
- Use the form “IIS AppPoolApp Pool Name” when adding the account to an NTFS ACL using the Windows GUI
- You may need to invoke your web application (typically by requesting the URL via a browser) to ensure the virtual account is available
- Make sure you change the location in the lookup dialog to the local server and not the domain so that the lookup function can resolve the app pool identity account name
- For remote NTFS file systems, use the machine account form to access remote SQL Server instances, which is thedomain_namemachine-name$, where domain_name is the domain of the ASP.NET server and machine_name is your Web server name
SQL Server (and Express Edition) with the Application Pool Identity
You may need to provide access to SQL Server for your application pool identity. Create a login for the identity and then you can create a user in the database catalog(s) to which you want to grant access.
- Use the form “IIS AppPoolApp Pool Name” when creating the login in a local SQL Server database instance
- Use the machine account form to access remote SQL Server instances, which is the domain_namemachine-name$, where domain_name is the domain of the ASP.NET server and machine_name is your Web server name