How Do I Determine the Security Account that IIS Uses to Run My Web Site?

It’s important to understand the account that IIS is running under when you need to make changes to the security settings. If, for example, your Web application writes to files or to a database, you’ll need to grand the correct permissions to the folder or database.
Before you can change these security settings, it’s important the know what account IIS is using. This FAQ details the various options available, both for “classic” ASP and ASP.NET applications.

There is a big difference between classic ASP and ASP.NET applications when it comes to determining the user’s context that IIS is running under, so this FAQ is divided in two sub sections that explain how to determine the account that IIS uses:

* Classic ASP (1)
* ASP.NET  (2)

Classic ASP

By default, for a Web site that allows anonymous access, this account is called IUSR_MachineName where MachineName is the name of your computer. However, when you are using a security mechanism in IIS other than Anonymous Access, you manually changed the account that IIS uses or you’re running your Web site ” Out Of Process (4)”, you’re likely to encounter another user account. The following table lists the possible user accounts that IIS is using in various scenario’s:

Scenario Account Used
The Web site or Virtual Directory / Application is configured for Anonymous Access IUSR_MachineName
The Web site or Virtual Directory / Application is configured for Anonymous Access, but runs out of process (The Application Protection is set to High in the Home Directory or Virtual Directory tab of your Web application) IWAM_MachineName
The Web site or Virtual Directory / Application is configured for Basic Authentication or Integrated Windows Authentication The account you used to log on to your Web application
The Web site or Virtual Directory / Application is configured for Anonymous Access, but you manually changed the account used for anonymous access The account you specified


To find out how your system is configured, follow these steps:

  1. Start the Internet Information Services management console, which you’ll find the under Administrative Tools which in turn you’ll find either directly on the Start Menu, or in the Windows Control Panel. The IIS Management Console Figure 1: The Internet Information Services MMC snap-in
  2. Expand the tree in the left hand pane until you see Default Web Site. If you’re configuring another Web site, or a Virtual Directory / Application, locate that one instead. This article assumes you’re configuring the Default Web Site, so make sure you adjust any steps to match your situation if necessary.
  3. Right-click the Default Web Site in the tree at the left and choose Properties.
  4. Open the Directory Security tab and then click the Edit… button in the Anonymous access and authentication control section of the dialog. You’ll see a screen similar to this one appear: The Authentication Methods dialog in IIS for the Default Web Site
    Figure 2: The Authentication Methods dialog in IIS for the Default Web Site

    If Anonymous access is checked (as in the screen shot above), the user name you see in the User name field is the account that IIS is using. If Anonymous access is not checked, and Basic and / or Integrated Windows authentication are checked, the account you use to log on to your Web site is used by IIS. Note that when Anonymous access is enabled, it doesn’t really matter whether Basic and or Integrated authentication are checked as well; the account that IIS is using will still be the anonymous, or IUSR_MachineName, account.

  5. Finally you have to check whether your site is running Out of Process. To do so, close the Authentication Methods dialog, and switch to the Home Directory tab on the Default Web Site Properties dialog: The Home Directory tab of the Default Web site Properties dialog
    Figure 3: The Home Directory tab of the Default Web site Properties dialog

    If Application Protection is set to High (Isolated ) and you are using Anonymous Access, the account that IIS is using is the IWAM_MachineName account. In all other scenario’s, IIS is using the account you determined in the previous step.


ASP.NET

For ASP.NET, things are a bit different. By default, ASP.NET will run under a special account called ASPNET. This account is a “least privileged” account which means it’s pretty restricted in the things it can do on your system. To make things a bit more confusing, on Windows Server 2003, an account called “Network Service” is used by default instead of the ASPNET account.

So, whether you are using Anonymous Access or Basic / Integrated security, the account is always the ASPNET or Network Service account. However, you can change this by modifying the Web.Config file for the application. To make the change, you can add an <identity impersonate=”true” />  (7)to the <system.web> section. If you add the element, IIS will impersonate the current user and use that account instead of the ASPNET account. This means that with Anonymous Access enabled, this account is the anonymous account. Usually, this will be the IUSR_MachineName account, but check out step 4 (8) of the instructions for classic ASP to find out whether that is true or not in your situation.

If you’re not using Anonymous Access, but Basic or Integrated Security instead, the account that is used is the one that the current user is logged on with. You can also explicitly specify an account that you want to use by setting the userName and password attributes of the <identity> element.

The following table lists the various possibilities. The first column determines whether or not impersonation has been enabled in the Web.Config file. The second and third column list the options for Anonymous Access and no Anonymous Access respectively:

ASP.NET Impersonation Anonymous Access No Anonymous Access (Basic, Integrated etc) Disabled ASPNET or Network Service account ASPNET or Network Service account
Enabled IUSR_MachineName The authenticated user
Enabled with a specified user account The specified account The specified account

Gửi phản hồi

Mời bạn điền thông tin vào ô dưới đây hoặc kích vào một biểu tượng để đăng nhập:

WordPress.com Logo

Bạn đang bình luận bằng tài khoản WordPress.com Log Out / Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Log Out / Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Log Out / Thay đổi )

Google+ photo

Bạn đang bình luận bằng tài khoản Google+ Log Out / Thay đổi )

Connecting to %s

%d bloggers like this: