Link to home
Start Free TrialLog in
Avatar of a182612
a182612

asked on

What is the purpose of the IWAM account?

I dont' really understand what this account is used for.  I know I have to have the IUSR account for anonymous access from a web browser but not sure when to grant NTFS permission to the IWAM account.
ASKER CERTIFIED SOLUTION
Avatar of dnojcd
dnojcd
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
in the following case also the IWAM_machinename account is used

if  the Web site or Virtual Directory / Application is configured for Anonymous Access, but runs out of process (The Application Protection is set to High in the Home Directory or Virtual Directory tab of your Web application)

Avatar of a182612
a182612

ASKER

What kind of applications?  I do use asp forms on my web site to send data to a sql database.  Would this require the IWAM account on the NTFS permissions?
The IWAM account is the Internet Web Application manager account.

It is used as the process ID for DLLHost in IIS 5 and 5.1 and can be used in 6.0 but is not the default.

In essence, every process has to have a process level ID in order to run.  If you do not use any other authentication and end up using the process level token to try and gain access to a resource you will end up using IWAM in an out of process site or application, or Local System when running in process.

When a user accesses IIS we will generally impersonate that user and use the thread level token to gain access to resources rather than the process level token.  COM objects will generally use the process level token unless specifically told to use a thread level token.

An important thing to remember is that Anonymous *is* an authentication emthod and we will end up impersonating the IUSR account when a user accesses the site cvia Anonymous authentication.

Bottom line, it is an account that is used to enable DLLHost to start and give default access to resources if no other authentication is performed.

Dave Dietz