Service Account replaced by IUSR ??

Hi,
Could anyone help me with this.
I am testing a .Net 2 application that creates a user in AD. It also has to create a shared folder on a remote server.
I'm testing this on a Windows SBS 2003 machine, taking the same server as "remote" server, by using the UNC path when creating the directory.

Now, in order to avoid impersonation I did the following :
- create a service account, register it in AD using the setspn.exe tool described in article http://msdn2.microsoft.com/en-us/library/ms998358.aspx.
- giving the service account administrator rights (only for testing purposes, this will be graded down in production)
- checking the "trust account for delegation" option in the account
- create a separate application pool in IIS 6 only for this application.
- setting the identity for this AppPool to the newly created user

So far, everything works fine, and I succeed in creating the user in AD.
But the application breaks down when I want to create the folder, for the reason that the app doesn't have access rights to the folder.
It will only work when I use impersonation :
- either to the specially created service account
- or to the web user, if he has administrator rights.

But the whole idea of creating a service account was to avoid impersonation !

I decided to audit the parent directory in which the user directories should be created. And this is what I got as event (I snipped some lines for briefness) :

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
User: NT AUTHORITY\SYSTEM
Computer: MYSERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: IUSR_MYSERVER
Domain: IQS
Logon Type: 8
Logon Process: Advapi Authentication Package: Negotiate
Workstation Name: MYSERVER
Caller User Name: adtester

What boggles my mind is that the user is still IUSR_MYSERVER in stead of the specially created service account "adtester" !

Do you have any idea what's going on here or am I missing something ?

Thanks !
.

Relevant Pages

  • Re: Question about "Distribution clean up: distribution" Job
    ... I granted the SQL Server Service Account "Full Control" over ... the Snapshot Folder and the job has been running successfully ever since. ... Then I went into the job step and copied the command it was ...
    (microsoft.public.sqlserver.replication)
  • Re: Service Account replaced by IUSR ??
    ... - giving the service account administrator rights ... - in the IIS 6 web, anonymous access is switched off, using integrated authentication ... Logon Failure: ...
    (microsoft.public.inetserver.iis.security)
  • Service Account replaced by IUSR ??
    ... - giving the service account administrator rights ... - in the IIS 6 web, anonymous access is switched off, using integrated authentication ... But the application breaks down when I want to create the folder, for the reason that the app doesn't have access rights to the folder. ... Logon Failure: ...
    (microsoft.public.inetserver.iis.security)
  • Re: exchange 5.5 crash
    ... > You mentioned cleared our all the mdbdata folder and Run eseutil /mh ... > Do you mean once I re-install Exchange 5.5 with same service account, ... >> Clear out all MDBDATA folders. ... >>> a co-worker accidentally deleted the exchange service account. ...
    (microsoft.public.exchange.admin)
  • Re: Requirements for non-administrative service account for clustered SQL 2000
    ... permissions on both nodes and removed the service account from the ... the drive with the master and TempDB devices not just the folder they ...
    (microsoft.public.sqlserver.clustering)