Add IIS 7 AppPool Identities as SQL Server Logons

Question

I m running an IIS 7 Website with an AppPool of Integrated Pipeline Mode  The AppPools does NOT run under NetworkService  etc   identity  by purpose   but uses its own AppPool Identitiy  IIS AppPool MyAppPool    This is a so called service account or virtual account   a user account  which is not a full account      I d like to give this service account  IIS AppPool MyAppPool  permissions to connect to my SQL Server 2008 Express  running in Mixed Auth  Mode    While SQL Server can add any normal user account  the IIS AppPool MyAppPool virtual account cannot be added to the valid logons  SQL Server says  that the account cannot be found    Is there any trick  anything I need to enable to make the virtual accounts work   the w3wp exe process runs under this identity according to taskmgr  but I cannot use the account in NTFS security either      Thanks for your help

User · Accepted Answer

The  IIS APPPOOL AppPoolName  will work  but as mentioned previously  it does not appear to be a valid AD name so when you search for it in the  Select User or Group  dialog box  it won t show up  actually  it will find it  but it will think its an actual system account  and it will try to treat it as such   which won t work  and will give you the error message about it not being found    How I ve gotten it to work is     In SQL Server Management Studio  look for the Security folder  the security folder at the same level as the Databases  Server Objects  etc  folders   not the security folder within each individual database  Right click logins and select  New Login  In the Login name field  type IIS APPPOOL YourAppPoolName - do not click search Fill whatever other values you like  i e   authentication type  default database  etc   Click OK   As long as the AppPool name actually exists  the login should now be created

User · Answer

CREATE LOGIN  IIS APPPOOL MyAppPool  FROM WINDOWS  CREATE USER MyAppPoolUser FOR LOGIN  IIS APPPOOL MyAppPool

User · Answer

You can solve like this   Open  quot Applications Pools quot   You should right click that you have choosed application pool  Then choose  quot Advanced Settings quot   Click three point on the Identity tab then you should choose  quot LocalSystem quot  from field of  quot Built-in-account quot   If you do this way  you don t need to create a user in database

User · Answer

Look at  http   www iis net learn manage configuring-security application-pool-identities  USE master GO sp grantlogin  IIS APPPOOL  lt AppPoolName gt    USE  lt yourdb gt  GO sp grantdbaccess  IIS APPPOOL  lt AppPoolName gt      lt AppPoolName gt   sp addrolemember  aspnet Membership FullAccess     lt AppPoolName gt   sp addrolemember  aspnet Roles FullAccess     lt AppPoolName gt

User · Answer

I figured it out through trial and error    the real chink in the armor was a little known setting in IIS in the Configuration Editor for the website in   Section  system webServer security authentication windowsAuthentication   From  ApplicationHost config  lt locationpath  ServerName SiteName    gt    called useAppPoolCredentials  which is set to False by default  Set this to True and life becomes great again    Hope this saves pain for the next guy

User · Answer

If you re going across machines  you either need to be using NETWORK SERVICE  LOCAL SYSTEM  a domain account  or a SQL 2008 R2  if you have it  Managed Service Account  which is my preference if you had such an infrastructure     You can not use an account which is not visible to the Active Directory domain

User · Answer

In my case the problem was that I started to create an MVC Alloy sample project from scratch in using Visual Studio Episerver extension and it worked fine when executed using local Visual studio iis express   However by default it points the sql database to LocalDB and when I deployed the site to local IIS it started giving errors some of the initial errors I resolved by  1 adding the local site url binding to C  Windows System32 drivers etc hosts  2  Then by editing the application config found the file location by right clicking on IIS express in botton right corner of the screen when running site using Visual studio and added binding there for local iis url  3  Finally I was stuck with  unable to access database errors  for which I created a blank new DB in Sql express and changed connection string in web config to point to my new DB and then in package manager console  using Visual Studio  executed Episerver DB commands like -  1  initialize-epidatabase 2  update-epidatabase  3  Convert-EPiDatabaseToUtc

User · Answer

This may be what you are looking for     http   technet microsoft com en-us library cc730708 28WS 10 29 aspx  I would also advise longer term to consider a limited rights domain user  what you are trying works fine in a silo machine scenario but you are going to have to make changes if you move to another machine for the DB server

User · Answer

As a side note processes that uses virtual accounts  NT Service MyService and IIS AppPool MyAppPool  are still running under the  NETWORK SERVICE  account as this post suggests http   www adopenstatic com cs blogs ken archive 2008 01 29 15759 aspx  The only difference is that these processes are members of the  NT Service MyService  or  IIS AppPool MyAppPool  groups  as these are actually groups and not users   This is also the reason why the processes authenticate at the network as the machine the same way NETWORK SERVICE account does   The way to secure access is not to depend upon this accounts not having NETWORK SERVICE privileges but to grant more permissions specifically to  NT Service MyService  or  IIS AppPool MyAppPool  and to remove permissions for  Users  if necessary   If anyone has more accurate or contradictional information please post

[sql-server] Add IIS 7 AppPool Identities as SQL Server Logons

Examples related to sql-server

Examples related to iis-7