Iis – How to assign active directory permission to the default app pool identity

active-directoryapplication-poolsiis

How can I assign active directory permission to the default app pool identity [IIS APPPOOL{application pool name}]?

I am trying to do this to enable a web application query active directory groups, users and check the existence of a particular user name or group name.

Thanks.

Best Answer

You don't. You can confer permissions to local resources for the IIS APPPOOL{app pool name} identity for local resources per:

How to assign permissions to ApplicationPoolIdentity account

In Active Directory, the identity needs to be either a Well-Known security principal, an actual user/group/computer security principal, or a foreign/trusted security principal.

However, if you use the Network Service identity on the IIS AppPool, the application pool will use the machine account of the IIS server when accessing network resources. In that case, you can confer the necessary permissions to the computer account (domain\computername$) in Active Directory.

http://www.iis.net/learn/manage/configuring-security/application-pool-identities

Related Solutions

Windows Active Directory – Command Line to List Users in a Group

try

dsget group "CN=GroupName,DC=domain,DC=name,DC=com" -members

Why is IIS6 using the web site anonymous user account for file access instead of the app pool account

The IUSR and the Network Service account are both used by IIS. Here are my recommendations...

For a public website available to everyone:

The IUSR and Network Service need to have Read access to all the application files (.aspx pages etc.) and dlls for the website. The IUSR would need to have Write access to any folder where the website is writing files (this could be dangerous on a public site). The database would be accessed by a SQL or Network account specified in the web.config in the database connection section.

For a website with Forms Authentication (login via a login page using username and password):

Same as above. The Write access to any folder is now better protected because the person using the website has been authenticated by your application.

For a website using Integrated Authentication:

The user credentials of the authenticated user need to have Read access to all the application files (.aspx pages etc.) and dlls for the website. The user credentials of the authenticated user would need to have Write access to any folder where the website is writing files. The database would be accessed by a SQL or Network account specified in the web.config in the database connection section or by the the user credentials of the authenticated user.

Update The Network Service account (or whatever account you are using for your application pool) and the IUSR work together. It is not always 100% clear to me which account is controlling access to which resources but I do know from experience that you need to have both. The IUSR is used for accessing .aspx pages, image files, static content, etc. The Network Service account accesses the IIS metabase, your application dlls, the .Net framework files, etc. Hope this helps.

Best Answer

Related Solutions

Windows Active Directory – Command Line to List Users in a Group

Why is IIS6 using the web site anonymous user account for file access instead of the app pool account

Related Topic