0

My web appkication has the following set up..

  • WCF application hosted on IIS7
  • Basic HTTP binding - SecurityMode = TransportCredentialOnly and ClientCredentialType = Windows.
  • .Net 4.0
  • The app runs in a .Net 4.0 Application Pool using "ApplicationPoolIdentity".
  • IIS connects to the file system using "Application Pass Through" authentication.
  • The client and service both run under IIS - that is the client is a webste and the service is an IIS hosted WCF service.

What I would like to understand is that what user accounts are used at the various points in authenticating too and using the service.

  • I understand that ApplicationPoolIdentity is a built in Windows account that is generated for each created application pool - is this the account under which w3wp.exe will run for the website?

  • No credentials are specified between clent and server - and this is the most interesting point. When my client connects to my WCF application what identity is used to authenticate to the service. I presume the application pool identity of the app pool hosting client website?

  • If so then what would happen if the two sites use two differnet app pools?

  • Or does the service just require a valid account on the machine (or domain) and that is good enough to authenticate?

  • If I changed the application pool to use a specific user account does this change anything? Again I presume as long as the client passes a valid machine account is that ok?

Also,,,

  • What identity is used for the file system?

  • What permissions does "ApplicationPoolIdentity" have on the machine and for the file system.

  • Finally in the case of SQL Server Integrated security what identity is passed through to SQL server if my service talks to an SQL Server database.

Thanks in advance.

Improve this question

1 Answer 1

Reset to default
1

I understand that ApplicationPoolIdentity is a built in Windows account that is generated for each created application pool - is this the account under which w3wp.exe will run for the website?

Yes it is. That is called a virtual account which allows IIS to create unique accounts for each defined application pool, also a security identifier is created representing the application pool name. Keep in mind that this is not real user account. For more information about it you can check the following link: http://technet.microsoft.com/en-us/library/dd548356.aspx

No credentials are specified between clent and server - and this is the most interesting point. When my client connects to my WCF application what identity is used to authenticate to the service. I presume the application pool identity of the app pool hosting client website?

Yes, same rule applies as for using Local Service account or Network Service account.

If so then what would happen if the two sites use two differnet app pools?

Nothing, unless you elevate the rights of those application pools identities.

Or does the service just require a valid account on the machine (or domain) and that is good enough to authenticate?

Then you are not going to use the default virtual accounts created for your application pools. Instead you will associate those application pools with existing windows accounts. Keep in mind what sort of permissions those windows/domain accounts have.

If I changed the application pool to use a specific user account does this change anything? Again I presume as long as the client passes a valid machine account is that ok?

It would work just fine as long as those accounts will have permissions according to your needs.

What identity is used for the file system?

Define with more details what you mean by file system; are you referring strictly at your application directory?

What permissions does "ApplicationPoolIdentity" have on the machine and for the file system.

ApplicationPoolIdentity is a member of Users and IIS_IUSRS groups so will "inherit" the permissions of the previously mentioned groups.

Finally in the case of SQL Server Integrated security what identity is passed through to SQL server if my service talks to an SQL Server database.

ApplicationPoolIdentity or the account you have configured to be used by your application pool.

Improve this answer
2
  • File System - yes the application directory. What access does the ApplicationPoolIdentity have in my SQL server? I have not assigned a specific user but when using this configuration it seems to have enough rights on the db to do most operations.
    – Remotec
    Commented Jun 28, 2012 at 19:37
  • That is a matter of your SQL configuration.
    – Mihai H
    Commented Jun 28, 2012 at 19:39

Not the answer you're looking for? Browse other questions tagged or ask your own question.