it:ad:iis:howto:manage_apppool_identities

IT:AD:IIS:HowTo:Manage/AppPool Identities

Summary

  • Everything you wanted to know about AppPool Identities
  • About ApplicationPoolIdentity:
  • About IISIUSRS: * MSDN * The IIS7 IUSR built-in account replaces the IIS6 IUSRMachineName account.
    • The IIS7 IIS_IUSRS built-in group replaces the IIS6 IIS_WPG group.
    • In machine.config you'll see that in IIS7 it uses IUSR for all anon anonymous authentication requests.

Example: 

<anonymousAuthentication enabled="true" userName="IUSR" defaultLogonDomain="" />

* Pros:

  • You can use IUSR to set NTFS permissions.
  • IUSR has no password (same as LOCALSERVICE or NETWORKSERVICE) so no expiring password to worry.
  • As IUSR will have the same SID on all machines, can XCOPY files and their ACL permissions to different computers seamlessly.

* Considerations:

  • Similar to LOCALSERVICE in that it doesn't have same Network privileges as NETWORKSERVICE and LOCALSYSTEM.
    • If you need the anonymous account to have rights on the network, you must create a new user account and set the user name and password manually, as you did in the past for anonymous authentication.
  • /home/skysigal/public_html/data/pages/it/ad/iis/howto/manage_apppool_identities.txt
  • Last modified: 2023/11/04 01:45
  • by 127.0.0.1