IIS 7 & IIS 8
use ApplicationPoolIdentity to connect to SQL
Last post May 21, 2012 09:50 AM by atran1978
Jan 16, 2012 07:57 AM|LINK
Use Process Monitor
http://blogs.iis.net/davcox/archive/2009/08/12/what-is-my-iis-code-running-as.aspx "Who is my IIS application process identity?"
The look at SQL Server.
Jan 16, 2012 11:26 AM|LINK
Jan 16, 2012 11:43 AM|LINK
You may have issues. It may sometimes loses its impersonation with the machine account.
Process Monitor and IIS Server information:
http://learn.iis.net/page.aspx/202/application-pool-identity-as-anonymous-user/ "Application Pool Identity as Anonymous User"
http://learn.iis.net/page.aspx/624/application-pool-identities/ Application Pools.
http://learn.iis.net/page.aspx/139/iis7-and-above-security-improvements/ IIS Security and above.
Jan 16, 2012 12:12 PM|LINK
Jan 17, 2012 02:41 AM|LINK
You might have issues with the Application Pool and Identity for IIS Server.
The install for IIS server uses the "default" basic settings.
The SQL Server products are not part of IIS Server.
"to connect to SQL Server is the other part of the question.
May 02, 2012 06:54 AM|LINK
I've just run into a similar situation. I found the two folllowing links which provide quite a lot of detail around the virtual accounts (used to create the AppPoolIdentity) and managed service accounts (an alternate to using a normal account to run the
This link details information about configuring service accounts and permissions.
The point I got from these two articles is that the AppPoolIdentity will use the computer account to authenticate when connecting to another network service, i.e the <computer name>$ however what is not pointed out is that to have a computer account the
machine must be a member of an active directory domain.
The reason for this is a computer account is the security principle a machines is assigned when it is joined to a domain, therefore if you want to use virtual accounts to connect to a remote service, such as SQL server, you need to be a domain member. Likewise
is you want to use a Managed service account it looks as though you must also be a domain member as the account is managed by active directory (theres a number of requirements around domain functional, which leads me to beleive this).
I'm not sure if this is relevant for other people on here having problems. From what I can see if you have a stand alone machine and you want IIS to connect to another service which requires authentication you need to create a user account on the local
machine which will be used to run the App Pool.
May 02, 2012 07:53 AM|LINK
the problem that i have is that is all works well (all server are in AD), until i do an "iisreset". After iisreset "ApplicationPoolIdentity" fails/looses it impersonation to the machine$ account.
Maybe a bug?
I currently have to use "Network Service" instead of "ApplicationPoolIdentity". Network Service allways impersonate well to the machine$ account.
May 21, 2012 06:43 AM|LINK
May 21, 2012 09:50 AM|LINK