It’s important to understand the account that IIS is running under when you need to make changes to the security settings. If, for example, your Web application writes to files or to a database, you’ll need to grand the correct permissions to the folder or database.
Before you can change these security settings, it’s important the know what account IIS is using. This FAQ details the various options available, both for “classic” ASP and ASP.NET applications.
There is a big difference between classic ASP and ASP.NET applications when it comes to determining the user’s context that IIS is running under, so this FAQ is divided in two sub sections that explain how to determine the account that IIS uses:
* Classic ASP (1)
* ASP.NET (2)
By default, for a Web site that allows anonymous access, this account is called IUSR_MachineName where MachineName is the name of your computer. However, when you are using a security mechanism in IIS other than Anonymous Access, you manually changed the account that IIS uses or you’re running your Web site ” Out Of Process (4)”, you’re likely to encounter another user account. The following table lists the possible user accounts that IIS is using in various scenario’s:
|The Web site or Virtual Directory / Application is configured for Anonymous Access||IUSR_MachineName|
|The Web site or Virtual Directory / Application is configured for Anonymous Access, but runs out of process (The Application Protection is set to High in the Home Directory or Virtual Directory tab of your Web application)||IWAM_MachineName|
|The Web site or Virtual Directory / Application is configured for Basic Authentication or Integrated Windows Authentication||The account you used to log on to your Web application|
|The Web site or Virtual Directory / Application is configured for Anonymous Access, but you manually changed the account used for anonymous access||The account you specified|
To find out how your system is configured, follow these steps:
- Start the Internet Information Services management console, which you’ll find the under Administrative Tools which in turn you’ll find either directly on the Start Menu, or in the Windows Control Panel. Figure 1: The Internet Information Services MMC snap-in
- Expand the tree in the left hand pane until you see Default Web Site. If you’re configuring another Web site, or a Virtual Directory / Application, locate that one instead. This article assumes you’re configuring the Default Web Site, so make sure you adjust any steps to match your situation if necessary.
- Right-click the Default Web Site in the tree at the left and choose Properties.
- Open the Directory Security tab and then click the Edit… button in the Anonymous access and authentication control section of the dialog. You’ll see a screen similar to this one appear:
Figure 2: The Authentication Methods dialog in IIS for the Default Web Site
If Anonymous access is checked (as in the screen shot above), the user name you see in the User name field is the account that IIS is using. If Anonymous access is not checked, and Basic and / or Integrated Windows authentication are checked, the account you use to log on to your Web site is used by IIS. Note that when Anonymous access is enabled, it doesn’t really matter whether Basic and or Integrated authentication are checked as well; the account that IIS is using will still be the anonymous, or IUSR_MachineName, account.
- Finally you have to check whether your site is running Out of Process. To do so, close the Authentication Methods dialog, and switch to the Home Directory tab on the Default Web Site Properties dialog:
Figure 3: The Home Directory tab of the Default Web site Properties dialog
If Application Protection is set to High (Isolated ) and you are using Anonymous Access, the account that IIS is using is the IWAM_MachineName account. In all other scenario’s, IIS is using the account you determined in the previous step.
For ASP.NET, things are a bit different. By default, ASP.NET will run under a special account called ASPNET. This account is a “least privileged” account which means it’s pretty restricted in the things it can do on your system. To make things a bit more confusing, on Windows Server 2003, an account called “Network Service” is used by default instead of the ASPNET account.
So, whether you are using Anonymous Access or Basic / Integrated security, the account is always the ASPNET or Network Service account. However, you can change this by modifying the Web.Config file for the application. To make the change, you can add an <identity impersonate=”true” /> (7)to the <system.web> section. If you add the element, IIS will impersonate the current user and use that account instead of the ASPNET account. This means that with Anonymous Access enabled, this account is the anonymous account. Usually, this will be the IUSR_MachineName account, but check out step 4 (8) of the instructions for classic ASP to find out whether that is true or not in your situation.
If you’re not using Anonymous Access, but Basic or Integrated Security instead, the account that is used is the one that the current user is logged on with. You can also explicitly specify an account that you want to use by setting the userName and password attributes of the <identity> element.
The following table lists the various possibilities. The first column determines whether or not impersonation has been enabled in the Web.Config file. The second and third column list the options for Anonymous Access and no Anonymous Access respectively:
|ASP.NET Impersonation||Anonymous Access||No Anonymous Access (Basic, Integrated etc)||Disabled||ASPNET or Network Service account||ASPNET or Network Service account|
|Enabled||IUSR_MachineName||The authenticated user|
|Enabled with a specified user account||The specified account||The specified account|