Udostępnij za pośrednictwem


ApplicationPoolIdentity and IIS

Ever faced the requirement of giving permissions to any resource (like folder) while your ASP.NET application’s pool is running under ApplicationPoolIdentity? Few points to understand:

  • There is no fixed account for this so you would not find any account under in built accounts while trying to set ACL permissions.
  • Corresponding to each AppPool that you have a new account is created when the AppPool starts. The naming convention is: “IIS APPPOOL\your_app_pool_name”. So if you have an application is running under “Classic .NET AppPool” then the local user account created is IIS APPPOOL\Classic .NET AppPool.
  • Just grant permissions to this account and you are set to go.
  • The benefit of this approach is that without you taking the trouble of creating any local user account under a system, you can configure to have your application run under different identity. Different applications can run simultaneously without any possibility to access each other’s data. Automatic provisioning also becomes easy.
  • Since this account actually doesn’t exist on the system there are less chances that you would have given any other rights to this account and as a result any hacking threat doesn’t compromises your system.
  • But in order to best use this feature you need to make sure that for such compartmented security requirement, you need to run your application under a dedicated custom Application Pool.

Rahul Gangwar