Setting up an IIS6 Application Pool Identity

Often times it's necessary to run an ASP.NET application under a different user account than Network Service. Usually this is the case when Network Service doesn't have enough rights to access necessary application resources like a database or a file share on a different server.

Here's how to configure a different account (local account or domain account) so it has sufficient permissions to run an IIS6 Application Pool for ASP.NET applications:

1. Add the account to the local IIS_WPG security group.
2. Open the Group Policy Editor for the local computer (gpedit.msc)
3. Drill down to: Local Computer Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignments
4. Add the new identity account to the following polices:
   - Adjust memory quotas for a process
   - Logon as a service
   - Replace a process level token
5. If your web application is going to host any web services, you need to also give your account Delete access to the C:\WINDOWS\Temp directory. Note: this is done via the Advanced dialog in the Security page of the Explorer folder properties dialog box.

References:

• IIS 6 Network Service Account vs. IIS 5 IWAM
• Default permissions and user rights for IIS 6.0
• Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication