Which Identity option in IIS' Application Pool is considered best
Currently all of our web apps have their Application Pool Identity set to ApplicationPoolIdentity. Now, When an app needs to access some resources on some some server, say, add/read some file, the app performs impersonation in code to a user that has permissions to do this stuff. But now, we are contemplating to create a specific user for each app, and set its app pool identity to its specific new user. But I have noticed in the Advanced Settings dialog that Microsoft recommends to use the application pool identity, as shown in the following image:
Why does Microsoft recommends to use this identity, and is using a specific user is not best practice or a wrong move?
thanks,
ashilon
ApplicationPoolIdentity uses a concept called Virtual Accounts and is implemented to have App Pool isolation. This blog explains in detail about that.
ApplicationPoolIdentity is the recommended approach to have proper isolation between each website/application pool in IIS 7 and onwards, so you can have code or files running for one website or app which can't be accessed by anyone else.
But for your scenario where you need to access a resource on another server, when you use ApplicationPoolIdentity it uses the Machine identity only always. So the best approach is to use managed service account
Managed Service Accounts are a great way to manage Services that need network access. Let Windows take care of passwords and SPNs for you
Please find more information here, here
But this has problem as only one managed service account can be assigned to one Server. Even with Application Pool identity, it will be using the $machineaccount to access network resources.
If you have to isolate network resources for each website/application, then your only way is to create the separate User Account for each website and manage that.
Hope this helps!
- Troubleshooting HTTPS Issues with .NET Application on IIS Server
- How do I check if user 'IIS AppPool\MyAppPoolName' exists in powershell
- How to Disable HTTP/2 for Specific Sites in IIS Using PowerShell?
- IIS "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'" SQL connection error, but only for 1 user
- IIS String was not recognized as a valid DateTime
- Error during GENERAL_REQUEST_ENTITY for POST request causes ASP .NET session state to never get unlocked
- MVC 6 Hosted on IIS HTTP Error 500.19
- System.Data.SqlClient.SqlException: Login failed for user
- Invalid provider type specified one more time
- IIS Manager in Windows 10
- Hosting multiple .net core using the same application pool with AspNetCoreModuleV2
- Duplicate Content Security Policies for frame ancestors generated (Blazor, IIS and Chrome)
- Error: Microsoft.Data.SqlClient is not supported on this platform when publishing .NET 8.0 C# Web API to IIS
- Blazor App on IIS does not work on recent IOS
- Is it possible to make part of a site on IIS only viewable from localhost?
- ERROR: "The project doesn't know how to run the profile IIS Express" (VS 2019, 16.11.7)
- HTTP Error 500.31 - Failed to load ASP.NET Core runtime
- Using application pool identity results in exceptions and event logs
- Serilog Not Working After New Azure Release: The type initializer for 'Microsoft.Data.SqlClient.InOutOfProcHelper' threw an exception
- How to configure Web Deploy on Windows 10 pro
- On IIS, are .NET AppDomain instance specific to an application?
- 404 - File or directory not found. getting in windows server
- "There was an error while performing this operation"
- IIS Websites requested through HTTPS keeps showing a prompt for sign in instead of loading the site
- How to configure cache on IIS 10?
- Keyset does not exist / Identity invalid
- Check HTTP_REFERER on a Windows server
- IIS10 URL Rewrite 2.1 double encoding issue
- System.DirectoryServices.DirectoryServicesCOMException: An operations error occurred
- How do I loop through a PropertyCollection