Why asp.net core app uses different user than AppPool identity for Windows Authentication when connecting to SQL Server?

Question

I have deployed asp.net core 2.2 web app as a WebSite to IIS. I\'ve set the application pool identity to ApplicationPoolIdentity:

[

Answer 1

To clarify this, APPPOOL\MyCustomAppPool, like LocalServer, NetworkService, and per-service SIDs are local identities. They doesn't exist on the domain, and so can't be used to access remote resource. However the server itself has an account on the domain, and when code running under these identities access remote resources, they use the computer account.

If you have multiple app pool identities on a IIS server and need to differentiate their access to network resources, or prevent the accumulation of privileges for the machine account, you will need to provision domain accounts for the app pools.

If you are connecting to a local SQL Server using the app pool identity, the error message will (confusingly) claim that you are connecting with the machine account. This is a deficiency how SQL Server reports the error. EG if I try to connect to my local SQL Server from an IIS app, it will fail with,

Login failed for user 'MyDomain\MyServer$'

until I grant access to the local SQL Sever with

create login [IIS APPPOOL\DefaultAppPool] from windows
create user [IIS APPPOOL\DefaultAppPool] for login [IIS APPPOOL\DefaultAppPool]
grant select to [IIS APPPOOL\DefaultAppPool]