What is the purpose of the IWAM account?

Posted on 2006-04-11
Last Modified: 2012-05-05
I dont' really understand what this account is used for.  I know I have to have the IUSR account for anonymous access from a web browser but not sure when to grant NTFS permission to the IWAM account.
Question by:a182612
    LVL 10

    Accepted Solution

    IUSR is the account that IIS uses for anonymous access.  You need to grant
    NTFS permissions to this account on any content you want to server

    IWAM is used by the ASP process (dllhost.exe) to run applications set in
    either medium (pooled) or high protection.  You shouldn't need to do
    anything special with this account

    got the same form another forum :-)
    LVL 10

    Expert Comment

    in the following case also the IWAM_machinename account is used

    if  the Web site or Virtual Directory / Application is configured for Anonymous Access, but runs out of process (The Application Protection is set to High in the Home Directory or Virtual Directory tab of your Web application)


    Author Comment

    What kind of applications?  I do use asp forms on my web site to send data to a sql database.  Would this require the IWAM account on the NTFS permissions?
    LVL 34

    Expert Comment

    The IWAM account is the Internet Web Application manager account.

    It is used as the process ID for DLLHost in IIS 5 and 5.1 and can be used in 6.0 but is not the default.

    In essence, every process has to have a process level ID in order to run.  If you do not use any other authentication and end up using the process level token to try and gain access to a resource you will end up using IWAM in an out of process site or application, or Local System when running in process.

    When a user accesses IIS we will generally impersonate that user and use the thread level token to gain access to resources rather than the process level token.  COM objects will generally use the process level token unless specifically told to use a thread level token.

    An important thing to remember is that Anonymous *is* an authentication emthod and we will end up impersonating the IUSR account when a user accesses the site cvia Anonymous authentication.

    Bottom line, it is an account that is used to enable DLLHost to start and give default access to resources if no other authentication is performed.

    Dave Dietz

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Here are the symptoms: You start receiving calls from users that one of your legacy web apps isn't coming up, so you log into your IIS 5 server to check it out.  When you pull up the services, you notice that the WWW Publishing service isn't runn…
    First of all, clustering IIS is something you should rarely consider doing. In almost all cases, Microsoft Network Load Balancing (NLB) ( is a much better solution when you need to p…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now