IIS7.5 Domain Account Application Pool Identity for SQL Server Authentication

In Windows Server 2003/IIS6 land we typically create an app pool that runs as the identity of an AD account created with minimal privileges simply for that purpose. This same domain user would also be granted access to SQL Server so that any ASP.NET application in that app pool would be able to connect to SQL Server with Integrated Security=SSPI.

We are making a brave move to the world of Windows Server 2008 R2/IIS7.5 and are looking to replicate this model, but I am struggling with how to make the application pool in IIS7.5 run as the identity of an AD account? I know this sounds simple and hopefully it is, but my attempts so far have been fruitless.

  • Should the application pool identity be a 'Custom account' for a domain account?
  • Does the domain account need to be added to any groups?

Solution 1:

Yes, the domain account will be added under Custom account: under Advanced Settings -> Identity. Below information is from Understanding the Built-In User and Group Accounts in IIS 7.0

IIS 7.0 automatically adds the IIS_IUSRS membership to the worker processes token at runtime. By doing this, accounts that have been defined to run as 'application pool identities' no longer need to explicitly be part of the IIS_IUSRS group.

If you want to disable this feature and manually add accounts to the IIS_IUSRS group, disable this new feature by setting the manualGroupMembership value to 'true'. Below is an example of how this can be done to the defaultAppPool:

<applicationPools>
    <add name="DefaultAppPool">
       <processModel manualGroupMembership="true" />
    </add>
</applicationPools >

Solution 2:

I had the same problem adding the custom account to IIS7 after several iterations.

I went back to Control Panel --> User Accounts --> Manage User Accounts --> Advanced --> Users, double click the user name that I want add as a custom account and make sure that the account is neither disabled nor locked out. After changing the settings to password never expires it worked perfectly