Dela via


Executing IIS7 Requests via Application Pool Identity as Anonymous User

This is handy article I want to keep around for reference. The original thread can be here

In prior versions of IIS, the anonymous user allowed classic ASP content to be isolated by using a different anonymous user for each site. Isolation was accomplished by preventing ASP scripts from reverting back to the process identity, called the "impersonation sandbox". In mixed environments where you use classic ASP, ASP.NET and other dynamic content, the impersonation sandbox is not as helpful. For instance, ASP.NET uses a different isolation technique called Trust Levels and always runs as the process identity, unless you use a different type of impersonation.

To achieve isolation in IIS 7.0, you can run the application pools as separate identities. If no anonymous user account is configured for a Web site, IIS can be configured to automatically use the application pool identity. This can greatly reduce the number of accounts needed for Web sites and make management of the accounts easier.

To configure the Web server to use the application pool identity as the anonymous identity perform one of the following:

  • Open a command prompt and run the following:
    %windir%\system32\inetsrv\appcmd set config -section:anonymousAuthentication /username:"" --password

 

To configure the Web server to use the application pool identity as the anonymous identity using the IIS PowerShell Provider.

  • Open a PowerShell prompt and run the following:
    set-webconfigurationproperty /system.webServer/security/authentication/anonymousAuthentication -name userName -value ""

 

Warning: Enable this feature by setting the anonymous user attribute to a blank string, for example, username="". Removing the element from the applicationHost.config file will result in a different behavior than having a blank string!