Re: Basic question on Windows Integrated Security

From: Timo (timo_at_anonymous.com)
Date: 03/25/04


Date: Thu, 25 Mar 2004 07:38:23 -0500

Ken,
Thanks for the clarifications. Beginning to see some light through
the trees ;-)

Is the default Web Application Pool process identity, like the
IUSR_<machinename> account, local to the machine so that it too
cannot be granted permissions on remote resources? If we were to
specify a particular domain account (with requisite SQL
permissions) as the Web Application Pool process identity, are we
then required to create some sort of special relationship ("trust
relationship?") between the SQL server and that domain account?
I'm confused by the articles I've been reading and the advice I've
been getting on this; some say to assign Service Principal Names
and others say this is unnecessary. We're Win2003 with
ActiveDirectory, IIS6, SQL2000.

Thanks
Timo

In article <eiSgGdgEEHA.3424@tk2msftngp13.phx.gbl>,
kenREMOVE@THISadOpenStatic.com writes...
>Note: the IUSR_<machinename> account is, by default, local to the webserver
>and can't be assigned permissions to remote resources. You could change this
>to a domain account if you wanted to
>
>Note: ASP.Net does not use IUSR_<machinename> by default, unless you
>configure <identity impersonate="true"> on IIS5, ASP.Net uses the
>Machine\ASPNet account by default (you can change this in machine.config for
>example). In IIS6 ASP.Net uses the Web Application Pool process identity
>(configurable via the IIS Manager).
>
>



Relevant Pages

  • Re: Create a domain account with full access to all files and folders?
    ... to the existing permissions of stored content. ... you could use to allow an account to "become magic". ... without restoring permissions. ... runs under a domain account. ...
    (microsoft.public.windows.server.security)
  • Re: Error "The information store could not be opened." when openin
    ... When I log on to the server with the domain account (the same account that's ... has read&execute permissions on the vbs file ...
    (microsoft.public.win32.programmer.messaging)
  • Re: File folder access exception
    ... the default aspnet use account is a local account without network permissions. ... you can set the identity of the app pool to a domain account, or set the account in the web.config via impersonation. ... Is there any other way to allow create/modify/delete of file folders on a separate domain server? ... I have the folders referenced as a virtual directory on the web site and have read and write permissions in IIS. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Create a domain account with full access to all files and folders?
    ... to the existing permissions of stored content. ... you could use to allow an account to "become magic". ... without restoring permissions. ... runs under a domain account. ...
    (microsoft.public.windows.server.security)
  • Re: Create a domain account with full access to all files and folders?
    ... to the existing permissions of stored content. ... you could use to allow an account to "become magic". ... without restoring permissions. ... runs under a domain account. ...
    (microsoft.public.windows.server.security)