Which Identity option in IIS' Application Pool is considered best
Currently all of our web apps have their Application Pool Identity set to ApplicationPoolIdentity. Now, When an app needs to access some resources on some some server, say, add/read some file, the app performs impersonation in code to a user that has permissions to do this stuff. But now, we are contemplating to create a specific user for each app, and set its app pool identity to its specific new user. But I have noticed in the Advanced Settings dialog that Microsoft recommends to use the application pool identity, as shown in the following image:
Why does Microsoft recommends to use this identity, and is using a specific user is not best practice or a wrong move?
thanks,
ashilon
ApplicationPoolIdentity uses a concept called Virtual Accounts and is implemented to have App Pool isolation. This blog explains in detail about that.
ApplicationPoolIdentity is the recommended approach to have proper isolation between each website/application pool in IIS 7 and onwards, so you can have code or files running for one website or app which can't be accessed by anyone else.
But for your scenario where you need to access a resource on another server, when you use ApplicationPoolIdentity it uses the Machine identity only always. So the best approach is to use managed service account
Managed Service Accounts are a great way to manage Services that need network access. Let Windows take care of passwords and SPNs for you
Please find more information here, here
But this has problem as only one managed service account can be assigned to one Server. Even with Application Pool identity, it will be using the $machineaccount to access network resources.
If you have to isolate network resources for each website/application, then your only way is to create the separate User Account for each website and manage that.
Hope this helps!
- HTTP Service Request Queues\CurrentQueueSize counter instance name
- A ghost deleted my files?
- IIS set header with url rewrite for 3xx response
- 301 Redirect for IIS
- IIS 6.0 64-bit: SysInterals Proc Explorer showing 32-bit DLLs loaded?
- PowerShell IISAdministration: use of "-Confirm" parameter
- ASP. NET Core 8: Error HTTP 500 and returnurl=%2F in the URL
- How can I create and test two web apps in two separate application pools on my local machine?
- IIS Recompile ASP NET websites
- Is it possible to make part of a site on IIS only viewable from localhost?
- Why is my javascript bundle so slow to download?
- API not starting in IIS After Deployment: Missing .NET Hosting Components?
- How exactly are URLs mapped to handlers in IIS 7+
- Redirect chain problem in web.config, Windows Server 2020 IIS
- How do I enumerate IIS websites using Powershell and find the app pool for each?
- Google Firestore Database unable to connect in IIS (Laragon Apache is fine) "Empty address list:" Error :14
- Entity Framework Core - Web Deploy is Missing SQL Server Management Object Dependency
- PHP ignoring curl.cainfo setting in php.ini (apparently)
- How can I change IIS application pool property setProfileEnvironment from Powershell?
- How can I use the "Standard Deviation" function in my LogParser queries?
- IIS10 SSL Configuration for Multiple Sites and more than one SSL Cert
- How to clear the server cache in iis
- Getting 'A fatal error occurred while creating a TLS client credential' error when browsing/trying to access the site hosted in IIS 10 WS 2016
- .NET Core 3.1 - SAP Connector - Could not load type 'System.ServiceModel.Activation.VirtualPathExtension'
- Server Error in '/' Application Access is denied
- Docker .net framework application
- What do I need to do to make a Docker-hosted local website available through localhost?
- Installed SSL certificate in certificate store, but it's not in IIS certificate list
- Unable to resolve 500.30 error in simple web application
- GCP load balancer 502 server error and "backend_connection_closed_before_data_sent_to_client" IIS 10