User rights needed for IIS 7.5 application pool user (domain user, not the AppPoolIdentity)

谁都会走 提交于 2019-11-30 05:41:49

It's frustrating that this information is so hard to find, since some security admins seem to enjoy the cruel and unusual punishment of changing default policy settings to thwart installing apps within IIS.

Here's what I believe you should do to enable an account to work as an ApplicationPool identity:

  • Run aspnet_regiis -ga DOMAIN\USER to add permissions to access the IIS Metabase. (Exactly what that means, who knows?) aspnet_regiis reference
  • Add the user to the IIS_IUSRS group. This may be done automatically depending on the IIS configuration setting processmodel.manualGroupMembership but easiest to add it yourself.
  • If security policy is using windows defaults that's about it. If the security policy is locked down you may need to enable specific user rights for the account. The ones you have by default for ApplicationPoolIdentities (which seems a good place to start but not necessarily all required):
    • Access this computer from the network
    • Adjust memory quotas for a process
    • Allow log on locally
    • Bypass traverse checking
    • Generate security audit details
    • Impersonate a client after authentication - (Often not available by default on locked-down environments)
    • Log on as a batch job - (Often not available by default on locked-down environments)
    • Log on as a service - (I'm not sure this is needed)
    • Replace a process level token
  • If you're using windows auth and Kerberos (provider=Negotiate) then depending on the URL and if kernel-mode auth is on you might need to set up an SPN. I suggest switching to NTLM if possible. Otherwise, see articles below about SPNs and find a friendly domain admin to add them for you.

Fun reading:

I.T. Action

The reason why you application worked AFTER removing Administrator rights is that your application was compiled to the Framework temp folder using the administrator rights - Your application worked after removing the administrator rights because the application was compiled. If you update your application and it requires recompilation, the app pool account will need trusts again.

First I got errors (unfortunately I can't remember which ones), then I added fooAppPoolUser to the local admin group (Administrators, I know, was only to test), then it worked. Now I removed the user again, restarted IIS and it still works.

Arjen,

For the configuration steps in IIS, I'd have a look at Specify an Identity for an Application Pool (IIS 7) on TechNet.

I found the following link answered a similar question I had: http://www.iis.net/learn/manage/configuring-security/application-pool-identities

Basically, ApplicationPoolIdentity is a virtual user account that still behaves like NETWORK SERVICE, but without some of the down-sides; each app pool has it's very own ApplicationPoolIdenity account created with it.

More detailed information can also be found that is also specific to IIS 7.5 Application Pool Identities.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!