Ce site est optimisé pour être consulté depuis un navigateur moderne dans lequel JavaScript est activé.

Quel rôle joue « App Pool Identity » pour un pool d'applications ?

ayi

When talking about IIS 7.5 security, AFAIK:

App Pool Identity decides whom mon web application runs as.

Authentication Method decides whom le clients are authenticated as.

J'ai a virtual folder configured like this:

I use Anonymous Authentication avec le expectation that tous clients should be authenticated as IUSR.
I give IUSR full control of le folder.
My App Pool Identity is set as le XXX account, qui ne have tout permission to le folder. (I intentionally set this)

But il s'avère que I cannot browse le files in that folder. Once I give le XXX account permission to access that folder, things goes well.

So what role does le App Pool Identity play in anonymous authentication? C'est totally unexpected that J'ai to give le App Pool Identity account permission to access le folder. I thought Anonymous Authentication would be enough?

Thanks.

ayi

Lots of overloaded terms here, et a change entre IIS 7 et 7.5.

App Pool Identity vs App Pool Account

Let's start avec le Application Pool identity (lowercase-i-identity, what I call le App Pool Account to avoid ambiguity):

The way I tell it, le Application Pool Account is le account used to boot an App Pool, et le identity that le App Pool assumes quand c'est pas impersonating anyone else.

So whatever identity you give le App Pool, c'est going to need to be able to read le files in le content folder: particularly {but pas limited to} tout web.config files (which form part of le IIS configuration, et control what le App Pool is going to be doing).

If it ne peut pas access a folder, it'll assume there might be an important (game-changing) web.config file in there, et display an error. So le App Pool Account needs Read access to tous content folders.

ApplicationPoolIdentity

Why differentiate le App Pool Account (the identity of le app pool) depuis le App Pool Identity? Because le special-capitals-used ApplicationPoolIdentity is a nouveau account type - a managed service account - introduced et made par défaut in IIS 7.5 / Windows 2008 R2, et disponible depuis Windows 2008 SP2 as well (but pas le default).

See Application Pool Identities on IIS.Net

When you créez un website under 2008 R2 ou later using le GUI:

an App Pool will be created to host that website, and
le account type will be ApplicationPoolIdentity, à la place of Network Service (the 2008 default), Local Service ou Local System
a virtual identity, IIS AppPools\AppPoolName will be made disponible for use as a security principal on le local machine

With 2008 RTM, le par défaut App Pool account was Network Service plus a unique app pool identity/uniquifier; le nouveau R2/SP2 AppPoolIdentity account type is a Network-Service-like account (i.e. is le computer quand connecting off-box), mais prevents impersonation of another App Pool within le même box.

Back to le original question:

App pool account defines who votre app runs as when c'est pas impersonating anyone else

Authentication method describes how you're going to authenticate le clients (in order to impersonate them)

The Anonymous user account defines who you're going to run as quand impersonating a user for a request qui n'est pas authenticated - IUSR is such a user.

Incidentally, avec IIS 7.5+, you can définissez le Anonymous user account to be le Application Pool Identity (properties of le Anonymous authentication method), qui might make it more straightforward to isolate et secure le content for a given website.

Set permissions using IIS AppPool\YourSiteName for le name format (see this post).