How to use domain windows user account as app pool identity - iis

I will be using a domain windows account(maintained in Active Directory) as Application pool identity in my web server. So i want the account to be a member of IIS_WPG or IIS_IUSRS group.
My question is where to do it? in Active Directory or in the web server itself?
If i modify the Active Directory, so that the user is part of IIS_WPG/IIS_IUSRS, should be more than enough? or i should edit local users/group(in web server) to make sure i add the domain user to IIS_WPG or IIS_IUSRS group?

I'm not sure about adding via Active Directory as a blanket fix.
We used this method for IIS 6:
Add User to IIS_WPG group:
Go to Computer Management on the box hosting the site, Local Users and Groups > Groups, right-click IIS_WPG > Add to Group, then add the windows account, Apply, OK.
Then allow account to run as service:
Admin Tools > Local Security Policy > Local Policies > User Rights Assignment > Log on as a service Properties, Add user, Apply, OK
Set App Pool Identity:
IIS > App Pool Properties > Identity tab, set as configurable and input user, Apply, OK.
Then reboot box.
Good resource: Steps for setting up a custom identity of an IIS 6 application pool

In the identity tag and
use your windows domain and windows user name in the web.config file
In the IIS Server set the pool identity as ApplicationPool.
Disable anonymous authentication for the web application.
Enable Impersonation and
Windows Authenticaton.
for the web Application in the IIS Box

On Windows Server 2012 (in my case) one have to
add user to domain controller
set the Domain Account as custom apppool identity on the Webserver
set the option LoadUserProfile = True in the advanced properties of the Application Pool.

Right click on your Application Pool, in Process Model section, identity (first one) go in and select the second radio button which is Custom account and enter your desire account and password

Related

Can I use AAD Managed Identities for IIS Application pool identities on Azure?

I am hosting IIS on Azure Windows VM and need to configure Service account for IIS Application pool identity. What approach can I use for this? Is it possible to use AAD Managed identity or service principal for IIS Application pool identity?
According to microsoft docs :
The Windows operating system provides a feature called "virtual accounts" that allows IIS to create a unique identity for each of its application pools. For more information about virtual accounts, see Service Accounts Step-by-Step Guide.
If you are running IIS 7.5 on Windows Server 2008 R2, or a later version of IIS, you don't have to do anything to use the new identity. set ApplicationPoolIdentity by default. The IIS Admin Process (WAS) will create a virtual account with the name of the new application pool and run the application pool's worker processes under this account by default.
To use this virtual account when running IIS 7.0 on Windows Server 2008, you have to change the Identity property of an application pool that you create to ApplicationPoolIdentity.
Please check this reference: Application Pool Identities | Microsoft Docs
You must be a member of the Administrators group on the local computer to perform the following procedures.And for AAD make sure to do active directory sync to connect to local AD.
Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
Double-click , double-click Application Pools, right-click , and click Advanced Settings.
In the Identity box, click ApplicationPoolIdentity.
Under Application Pool Tasks, click Stop, and then click Start.
Reference : Service Accounts Step-by-Step Guide-o configure an IIS app
lication pool to use a virtual account | Microsoft Docs

Best way to access the shared folder for a web application

I have two machines, Machine A and Machine B in LAN connection. I have shared a folder on Machine A called "SharedFiles" by giving access to "IUSR" and "IIS USER "  and local user.
I have hosted a web application with IIS on machine B. From this hosted application , I want to access the "SharedFiles" folder.
What is the best way to access the shared folder for the web application ? I found below two options.
 1. By changing the Web application's pool identity. Set a custom account for this pool identity where credentials should be the same as the shared folder or vice versa.
 2. By setting up a virtual directory for this. I don't know how to use it. I have read the theory but never use it before.
If option 2 is correct then , do we need to access that folder using http/https?  How does this virtual directory work(Not looking for steps but logical flow)?
To add the virtual directory with the shred path under your site you could follow the below steps:
1)Open iis manager.
2)Right-click on your site ->slect add a virtual directory.
3)in add virtual directory box enter any name and your share folder path
Note: Make sure you have assigned the iis_iusrs and iusr permission to the shared folder.
After doing this go back again select site.
Double click authentication.
Select "Anonymous authentication"
Click edit from the action pane.
application pool identity. click ok.
now you can access your shared folder in browser with your site bindings/virtual directory name like shown below:
you could use the iis application pool identity to the administrator or local system account.

Issues in IIS Manager

I am using IIS Manager in window 10,
I need to host my ASP .NET web Form project in iis and access from other devices in same network.
i add new website and provide physical path.
the ip access from the computer but cannot able to access from other device in same network.
It Shows:
While Authentication file.
The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that \$ has Read access to the physical path. Then test these settings again.
As far as I know, this is IIS warning when you click test in the binding window.
By default, IIS will use identity to access the protected files.With psasthrough
authentication like impersonation, IIS will attempt to use the actual identity of the user when accessing protected resources.
If user doesn't auth, it will use application pool identity to access the resources.
In my opinion, it is just a warning not a error.

How to get access for ApplicationpoolIdentity on particular folder

My deployed application is creating file on a shared location.
To get it work and allow applicaiton to write file on shared location, I have set applicaiton pool as domain\user account.
Please guide me how should i get it working using applicationpoolidentity account too ?
Versions of IIS 7.5 and later create a virtual app pool user account running under the umbrella of ApplicationPoolIdentity. This will be unique to that app pool and therefore won't be the same account as on another server.
You'll need to have the same specific local user account or domain user account set as having permissions against both the shared folder and the app pool.

Local site within Dropbox using IIS

I am trying to have my local website within dropbox using IIS. When I add the dropbox directory I get the error: The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that \$ has Read access to the physical path.
I am admin and have allowed all access to the dropbox folder. What is wrong?
You should add IIS user account to the list of users who are allowed to view/read the files. IIS usually runs via separate user account for security reasons.
This is done the following way:
Right-click on your site folder in Dropbox
Select "Security"
Click "Add"
Find IUSR user and/or IIS_IUSRS group
Add them both (or one, if only one is present) and assign them read permissions
Try adding your site folder again.
This should fix the issue.

Resources