IIS 7.5 Application Pools: Understanding default identity “ApplicationPoolIdentity”

In former versions of IIS the default identity for application pools was “NetworkService“. Using this option, the application pool runs under the built-in and low-privileged Windows identity “NETWORKSERVICE“. The disadvantage of this (old default) option is that multiple services using the Windows identity “NETWORKSERVICE” are not isolated from each other, i.e. services could theoretically read, write or execute files of the other services.

In IIS 7 the concept of application pool identities (“ApplicationPoolIdentity“) was introduced and became the default identity for application pools in IIS 7.5. Using this identity Windows runs each application pool under a automatically created virtual account. Please note, that this virtual account is not listed in Windows User Management Console.

To grant these virtual accounts permissions to files or directories, you need to add the (virtual) identities to a file’s or directories Access Control List (ACL). Therefore use the permission tab of the file or folder and select the account as follows:

  • Set the location to you local machine
  • Set the object’s name to “IIS AppPool\<name of your application pool>

Summarized application pool identities allow system administrator to easily isolate multiple application pools from each other without manually managing accounts and passwords.

Comments

  1. ItchyTheCat

    2008 R2 IIS 7.5 401.3 Fix

    Just as an FYI. After rebuilding servers and spending endless hours troubleshooting a 401.3 error after changing the AppPool identity to a domain account, we came to find out that a GPO was killing IIS. Make sure you test with a server in the “Computer” container and that no GPO’s are changing restricted groups outside of Administrators.

    In our case, NT Authority\Authenticated Users was removed from the local USERS group and it broke IIS complete.

Leave a comment

Your email address will not be published. Required fields are marked *

*