Recipe 12.20. Configuring Application Pool IdentitiesProblemYou want to configure the identity of an application pool. SolutionUsing a graphical user interface
Using a command-line interfaceThe following two commands assign a custom user account for an application pool identity and set the password for the account: > cscript %systemroot%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/ <AppPoolName>/WAMUserName <Username> > cscript %systemroot%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/ <AppPoolName>/WAMUserPass <Password> Replace <AppPoolName> with the name of the target application pool, <Username> with the name, and <Password> with the user's password. Using VBScript' This code configures an app pool identity. ' ------ SCRIPT CONFIGURATION ------ strComputer = "<ServerName>" strAppPoolName = "<AppPoolName>" strUser = "<Username>" ' e.g., RALLENCORP\myiisuser strPasswd = "<Password>" ' ------ END CONFIGURATION --------- set objAppPool = GetObject("IIS://" & strComputer & "/w3svc/AppPools/" & _ strAppPoolName) objAppPool.AppPoolIdentityType = 3 objAppPool.WAMUserName = strUser objAppPool.WAMUserPass = strPasswd objAppPool.SetInfo( ) WScript.Echo "App Pool identity modified successfully: " & objAppPool.Name DiscussionWhen an application in the pool executes, the worker process impersonates the identity of the process token associated with the client requesting the application pool. An application pool's identity is the security context in which the worker processes assigned to the pool run when no application is running within the pool. The three predefined identities that can be assigned to a pool are shown in Table 12-9.
By default, new application pools (and the Default Application Pool) use Network Service as their identity. If you want to create a custom user account for a pool, be sure to give it a complex password and make it a member of the IIS_WPG built-in group, which gives the account the privileges needed to be able to instantiate new worker processes on the computer. |