ApplicationPoolIdentity and IIS

  • Article

Ever faced the requirement of giving permissions to any resource (like folder) while your ASP.NET application’s pool is running under ApplicationPoolIdentity? Few points to understand:

  • There is no fixed account for this so you would not find any account under in built accounts while trying to set ACL permissions.
  • Corresponding to each AppPool that you have a new account is created when the AppPool starts. The naming convention is: “IIS APPPOOL\your_app_pool_name”. So if you have an application is running under “Classic .NET AppPool” then the local user account created is IIS APPPOOL\Classic .NET AppPool.
  • Just grant permissions to this account and you are set to go.
  • The benefit of this approach is that without you taking the trouble of creating any local user account under a system, you can configure to have your application run under different identity. Different applications can run simultaneously without any possibility to access each other’s data. Automatic provisioning also becomes easy.
  • Since this account actually doesn’t exist on the system there are less chances that you would have given any other rights to this account and as a result any hacking threat doesn’t compromises your system.
  • But in order to best use this feature you need to make sure that for such compartmented security requirement, you need to run your application under a dedicated custom Application Pool.

Rahul Gangwar