10

How can I assign active directory permission to the default app pool identity [IIS APPPOOL{application pool name}]?

I am trying to do this to enable a web application query active directory groups, users and check the existence of a particular user name or group name.

Thanks.

user2384219
  • 103
  • 1
  • 1
  • 4

2 Answers2

8

You don't. You can confer permissions to local resources for the IIS APPPOOL{app pool name} identity for local resources per:

How to assign permissions to ApplicationPoolIdentity account

In Active Directory, the identity needs to be either a Well-Known security principal, an actual user/group/computer security principal, or a foreign/trusted security principal.

However, if you use the Network Service identity on the IIS AppPool, the application pool will use the machine account of the IIS server when accessing network resources. In that case, you can confer the necessary permissions to the computer account (domain\computername$) in Active Directory.

http://www.iis.net/learn/manage/configuring-security/application-pool-identities

Community
  • 1
Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • 2
    When I use Network Service identity on the ISS AppPool it works as expected. However, the documentation at ["http://www.iis.net/learn/manage/configuring-security/application-pool-identities"](http://www.iis.net/learn/manage/configuring-security/application-pool-identities) says "The good news is that Application Pool identities also use the machine account to access network resources. No changes are required.", but it is obviously not behaving the same as in the case where the application attempts to make AD queries. – user2384219 May 22 '13 at 20:52
  • No-one is perfect. At least NetworkService works. Using an apppool identity is probably something that is either broken or poorly documented. – Greg Askew May 22 '13 at 22:27
  • @GregAskew - App Pool identities run as supersets of Network Service accounts, so when they access network resources they work as machine names, but they can also have tighter security locally. – Erik Funkenbusch Aug 01 '14 at 23:33
1

What I did on AD computer was to delegate control to the computer running the IIS hosting the application. I delegated only "modify group membership" (or something like that) kind of permissions and got my solution working.

I had a twist in my app that got IPrincipal from ADFS so I didn't use Windows auth but other than that everything worked just fine.

Too bad IISExpress don't function the way that IIS functions as this is not the first time I got problems when going to production.

Tommi
  • 11
  • 1