Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8324
  • Last Modified:

What is the purpose of the IWAM account?

I dont' really understand what this account is used for.  I know I have to have the IUSR account for anonymous access from a web browser but not sure when to grant NTFS permission to the IWAM account.
  • 2
1 Solution
IUSR is the account that IIS uses for anonymous access.  You need to grant
NTFS permissions to this account on any content you want to server

IWAM is used by the ASP process (dllhost.exe) to run applications set in
either medium (pooled) or high protection.  You shouldn't need to do
anything special with this account

got the same form another forum :-)
in the following case also the IWAM_machinename account is used

if  the Web site or Virtual Directory / Application is configured for Anonymous Access, but runs out of process (The Application Protection is set to High in the Home Directory or Virtual Directory tab of your Web application)

a182612Author Commented:
What kind of applications?  I do use asp forms on my web site to send data to a sql database.  Would this require the IWAM account on the NTFS permissions?
The IWAM account is the Internet Web Application manager account.

It is used as the process ID for DLLHost in IIS 5 and 5.1 and can be used in 6.0 but is not the default.

In essence, every process has to have a process level ID in order to run.  If you do not use any other authentication and end up using the process level token to try and gain access to a resource you will end up using IWAM in an out of process site or application, or Local System when running in process.

When a user accesses IIS we will generally impersonate that user and use the thread level token to gain access to resources rather than the process level token.  COM objects will generally use the process level token unless specifically told to use a thread level token.

An important thing to remember is that Anonymous *is* an authentication emthod and we will end up impersonating the IUSR account when a user accesses the site cvia Anonymous authentication.

Bottom line, it is an account that is used to enable DLLHost to start and give default access to resources if no other authentication is performed.

Dave Dietz

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now