I've just run into a similar situation. I found the two folllowing links which provide quite a lot of detail around the virtual accounts (used to create the AppPoolIdentity) and managed service accounts (an alternate to using a normal account to run the
service)
The point I got from these two articles is that the AppPoolIdentity will use the computer account to authenticate when connecting to another network service, i.e the <computer name>$ however what is not pointed out is that to have a computer account the
machine must be a member of an active directory domain.
The reason for this is a computer account is the security principle a machines is assigned when it is joined to a domain, therefore if you want to use virtual accounts to connect to a remote service, such as SQL server, you need to be a domain member. Likewise
is you want to use a Managed service account it looks as though you must also be a domain member as the account is managed by active directory (theres a number of requirements around domain functional, which leads me to beleive this).
I'm not sure if this is relevant for other people on here having problems. From what I can see if you have a stand alone machine and you want IIS to connect to another service which requires authentication you need to create a user account on the local
machine which will be used to run the App Pool.
the problem that i have is that is all works well (all server are in AD), until i do an "iisreset". After iisreset "ApplicationPoolIdentity" fails/looses it impersonation to the machine$ account.
Maybe a bug?
I currently have to use "Network Service" instead of "ApplicationPoolIdentity". Network Service allways impersonate well to the machine$ account.
Application pool pros: You don't have to be a .Net programmer to understand what's going on. The security aspect leaves the domain of the programmer and falls under the remit of infrastructure Easy to change through IIS with proper saftey checks that the username
is correct when setting up the app pool. I.e. It won't let you enter an incorrect username. Impersonation pros: Privileges can be documented and traced back through changes to configuration through source control history if configuration files are stored there.
Impersonation cons: To change the user, you need to be familiar with .Net configuration rather than just setting up a website Not sure I can think of much else. My gut says to go with different application pools for each of the websites but it's your party.
@Tasmey I think there is a misunderstanding here. Please reread the posts above. We are talking about the automatic impersonation (by windows/IIS) of the "ApplicationPoolIdentity" or "Network service" account to the machine$ account.
HCamper
8048 Posts
Re: use ApplicationPoolIdentity to connect to SQL
Jan 16, 2012 07:57 AM|LINK
Hello,
Use Process Monitor http://www.iislogs.com/articles/processmonitorw3wp/
read this http://blogs.iis.net/davcox/archive/2009/08/12/what-is-my-iis-code-running-as.aspx "Who is my IIS application process identity?"
The look at SQL Server.
Martin
Community Member Award 2011
atran1978
8 Posts
Re: use ApplicationPoolIdentity to connect to SQL
Jan 16, 2012 11:26 AM|LINK
HCamper
8048 Posts
Re: use ApplicationPoolIdentity to connect to SQL
Jan 16, 2012 11:43 AM|LINK
Hello,
You may have issues. It may sometimes loses its impersonation with the machine account.
Process Monitor and IIS Server information:
http://learn.iis.net/page.aspx/202/application-pool-identity-as-anonymous-user/ "Application Pool Identity as Anonymous User"
http://learn.iis.net/page.aspx/624/application-pool-identities/ Application Pools.
http://learn.iis.net/page.aspx/139/iis7-and-above-security-improvements/ IIS Security and above.
Regards,
Martin
Community Member Award 2011
atran1978
8 Posts
Re: use ApplicationPoolIdentity to connect to SQL
Jan 16, 2012 12:12 PM|LINK
HCamper
8048 Posts
Re: use ApplicationPoolIdentity to connect to SQL
Jan 17, 2012 02:41 AM|LINK
Hello,
You might have issues with the Application Pool and Identity for IIS Server.
The install for IIS server uses the "default" basic settings.
The SQL Server products are not part of IIS Server.
"to connect to SQL Server is the other part of the question.
Martin
Community Member Award 2011
Marka2020
1 Post
Re: use ApplicationPoolIdentity to connect to SQL
May 02, 2012 06:54 AM|LINK
Hi,
I've just run into a similar situation. I found the two folllowing links which provide quite a lot of detail around the virtual accounts (used to create the AppPoolIdentity) and managed service accounts (an alternate to using a normal account to run the service)
http://technet.microsoft.com/en-us/library/dd548356.aspx
This link details information about configuring service accounts and permissions.
http://msdn.microsoft.com/en-us/library/ms143504.aspx
The point I got from these two articles is that the AppPoolIdentity will use the computer account to authenticate when connecting to another network service, i.e the <computer name>$ however what is not pointed out is that to have a computer account the machine must be a member of an active directory domain.
The reason for this is a computer account is the security principle a machines is assigned when it is joined to a domain, therefore if you want to use virtual accounts to connect to a remote service, such as SQL server, you need to be a domain member. Likewise is you want to use a Managed service account it looks as though you must also be a domain member as the account is managed by active directory (theres a number of requirements around domain functional, which leads me to beleive this).
I'm not sure if this is relevant for other people on here having problems. From what I can see if you have a stand alone machine and you want IIS to connect to another service which requires authentication you need to create a user account on the local machine which will be used to run the App Pool.
Regards,
Mark
atran1978
8 Posts
Re: use ApplicationPoolIdentity to connect to SQL
May 02, 2012 07:53 AM|LINK
the problem that i have is that is all works well (all server are in AD), until i do an "iisreset". After iisreset "ApplicationPoolIdentity" fails/looses it impersonation to the machine$ account.
Maybe a bug?
I currently have to use "Network Service" instead of "ApplicationPoolIdentity". Network Service allways impersonate well to the machine$ account.
Tasmey
69 Posts
Re: use ApplicationPoolIdentity to connect to SQL
May 21, 2012 06:43 AM|LINK
atran1978
8 Posts
Re: use ApplicationPoolIdentity to connect to SQL
May 21, 2012 09:50 AM|LINK