IIS7.5 Domain Account Application Pool Identity for SQL Server Authentication

active-directory windows-server-2008-r2 iis-7.5 application-pools

9,891

Solution 1

Yes, the domain account will be added under Custom account: under Advanced Settings -> Identity. Below information is from Understanding the Built-In User and Group Accounts in IIS 7.0

IIS 7.0 automatically adds the IIS_IUSRS membership to the worker processes token at runtime. By doing this, accounts that have been defined to run as 'application pool identities' no longer need to explicitly be part of the IIS_IUSRS group.

If you want to disable this feature and manually add accounts to the IIS_IUSRS group, disable this new feature by setting the manualGroupMembership value to 'true'. Below is an example of how this can be done to the defaultAppPool:

<applicationPools>
    <add name="DefaultAppPool">
       <processModel manualGroupMembership="true" />
    </add>
</applicationPools >

Solution 2

I had the same problem adding the custom account to IIS7 after several iterations.

I went back to Control Panel --> User Accounts --> Manage User Accounts --> Advanced --> Users, double click the user name that I want add as a custom account and make sure that the account is neither disabled nor locked out. After changing the settings to password never expires it worked perfectly

9,891

Author by

Admin

Updated on September 17, 2022

Comments

Admin over 1 year
In Windows Server 2003/IIS6 land we typically create an app pool that runs as the identity of an AD account created with minimal privileges simply for that purpose. This same domain user would also be granted access to SQL Server so that any ASP.NET application in that app pool would be able to connect to SQL Server with Integrated Security=SSPI.

We are making a brave move to the world of Windows Server 2008 R2/IIS7.5 and are looking to replicate this model, but I am struggling with how to make the application pool in IIS7.5 run as the identity of an AD account? I know this sounds simple and hopefully it is, but my attempts so far have been fruitless.
- Should the application pool identity be a 'Custom account' for a domain account?
- Does the domain account need to be added to any groups?
- Ryan Fisher about 14 years
  
  Have you considered moving towards a delegated model? Don't know what your size/needs are, but delegation has some good security benefits, trade-off being additional complexity in setup.
m4m about 14 years

@Vivek - when I try to add the user under Custom account I get 'The specified password is invalid. Type a new password'. I am entering the password for the domain user (tried several times) - the password contains many special chars - does IIS have it's own password policy that could be different to our domain?
m4m about 14 years

@Vivek - doh! It needed the DOMAIN\ prefix before the account name - working as expected now - many thanks!