Authorize IIS Application Pool Identity to file system resources

Web applications can be run in the Internet Information Server (IIS) with different identities. This can be advisable or necessary to get access to the Active Directory or other protected systems. However, you have to do an exact designation of the Pool Identity.

For this purpose IIS has application pools which create a joint process infrastructure.

• Every web application is assigned to one exact pool
• One pool however, can be responsible for several applications
• Every pool has a pool-identity (Application Pool Identity)

The pool identity is:

• An individually set up local user
• An Active Directory user or
• A virtual pool-identity (since IIS 7) 

Pool Identity and security

This pool identity has very low authorizations and thus provides a good security against attacks. New pools can be created easily and every pool automatically gets an individual virtual identity. With this, the applications among each other are closed off securely.

Pool Identity to file system authorization

The pool identity is neither a user in the classical sense nor you can find it under ‘local users’.

To assign authorizations for the pool identity to the file system,  you need to know its exact name.

Designation of Pool Identity

It consists of the following characters (please pay attention to blank spaces):

IIS AppPool\[AppPoolName]

for the default pool it would for example be: