Microsoft provides a tool that comes with the .Net framework that allows you to easily change the identity of a user that runs an IIS application pool.
With this method you can execute an Asp.Net web application with an integrated security SQL connection string such as:
Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=SSPI;
Providing the application pool user has the necessary permissions for the specified database then there will be no need to store any passwords in the web.config files.
Anyway once you have your domain user that you wish to use for the application pool run the following command:
%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis –ga [DOMAIN]\[USERNAME]
Running this command will give the specified user the correct permissions to the IIS metadata and also the cright file permissions:
However……..
Running this alone was not enough when I ran this on a couple of servers!
For some reason the aspnet_regiis tool does not set the required access on the windows\temp directory resulting in some very strange errors.
Set permissions on the %windir%\temp directory
- View the permissions on %windir%\temp directory
- Click on advanced to view the special permissions
- Add a new user and enter the name of the user that is running the application pool
- Set the following special permissions (basically the same as the Users group)
- Traverse Folder / Execute File
- Create Files / Write Data
- Create Folders / Append Data
Now you’re good to go with a new application pool user that has the right permissions!
5ca88cfe-9921-4777-bffc-97effac41d05|0|.0