Configuring Application Pool Identity with IIS 6.0
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1
Important
This feature of IIS 6.0 is available only when IIS is running in worker process isolation mode.
The identity of an application pool is the name of the account under which the application pool's worker process runs. By default, application pools operate under the Network Service account, which has low-level user access rights. That is, this account provides better security against attackers or malicious users who might attempt to take over the computer on which the World Wide Web Publishing Service (WWW service) is running. The LocalService account also has low-level user access rights, which is helpful for situations that do not require access to resources on remote computers. You can configure application pools to run as LocalSystem, which is an account with more user rights than the Network Service or LocalService account. However, be mindful that running an application pool under an account with increased user rights presents a high security risk.
For example, suppose that an Internet Service Provider (ISP) wants to allow customers to upload Common Gateway Interface (CGI) applications and then add them to an application pool. Running CGI-enabled applications in a separate application pool under the Network Service account, with its lower user rights, reduces the risk that these applications will be used to attack the server.
For more information about application pool identities, see Configuring Application Pool Identity in IIS 6.0.
For more information about issues that can arise when you use a configurable account as the application pool identity, see Knowledge Base article 871179, "You receive an 'HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials' error message when you try to access a Web site that is part of an IIS 6.0 application pool."
For more information about using a configurable account with Kerberos authentication, see the following resources:
Knowledge Base article 326985, "HOW TO: Troubleshoot Kerberos-Related Issues in IIS"
Procedures
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".
To change the account under which an application pool runs using IIS Manager
In IIS Manager, expand the local computer, expand Application Pools, right-click the application pool, and then click Properties.
Click the Identity tab, and click either Predefined or Configurable. Predefined refers to standard service names, such as Network Service (the default), LocalSystem, or Local Service. Configurable refers to registered user names.
If you click Predefined, click a predefined account in the list box.
If you click Configurable, in the User name and Password boxes, type the user name and password of the account under which you want the worker process to operate. Then, add the account to the IIS_WPG group.
Click OK.
Important
You must be a member of the Administrators group on the local computer to run scripts and executables. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run your script or executable as an administrator. At a command prompt, type runas /profile /user:MyComputer</STRONG>Administrator cmd to open a command window with administrator rights and then type cscript.exe ScriptName (include the script's full path and any known parameters).
To change the account under which an application pool runs using the Adsutil.vbs administration script
From the Start menu, click Run.
In the Open box, type cmd, and click OK.
Switch to the %systemroot%\system32\inetsrv directory.
At the command prompt type cscript adsutil.vbs SET W3SVC/AppPools/AppPoolName/WAMUserName Username
At the command prompt type cscript adsutil.vbs SET W3SVC/AppPools/AppPoolName/WAMUserPass Password
To programmatically change the account under which an application pool runs
In order to change the identity of a worker process in IIS 6.0, set three properties in the metabase under the application pool key that you want to change. Using "TestPool" as an example, and assuming the application pool named "TestPool" already exists, the following JScript snippet would change the application pool identity.
var appPool = GetObject("IIS://localhost/w3svc/AppPools/TestPool" ); // Tell IIS to use configurable identity for worker process appPool.AppPoolIdentityType = 3; // Set user name appPool.WAMUserName = "myuser"; // Set password appPool.WAMUserPass = "myuserpass"; // Save changes to the IIS metabase appPool.SetInfo();