Must IIS_WPG "Impersonate a client after authentication"?

Point of my Scenario:
1. I am admin of a Windows Server 2003 domain
2. A member server running Windows Server 2003 is implemented as an IIS web server
3. There is a configured user right that is assigned to the IIS_WPG account on the member server: "Impersonate a client after authentication". Administrators and SERVICE accounts are also assigned this user right.

QUESTION: Why does the IIS_WPG group need this user right?

REASON: I need to know if I can remove this group ( IIS_WPG) from the specified user right without breaking the web application/web service on this server. I will have to document documentation for retaining or removing this user right from the IIS_WPG group.
waforbes100Senior IT SpecialistAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

r_panosCommented:
IIS_WPG group membership provides the necessary user rights and permissions required to run an application. You MUST NOT delete it or alter it.

For more informations check the :

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/3648346f-e4f5-474b-86c7-5a86e85fa1ff.mspx?mfr=true
0
tonyenkiducxCommented:
This is quite a complex question, and really depends on what you are doing with your web service/app.  But to explain how it works...

The IIS_WPG group(There is no IIS_WPG account as such) is assigned this right to allow pass-through authentication from clients when any program running under that group wants to handle impersonation for another user/account/group.  Network Service is the default account that runs IIS and it is part of the IIS_WPG group by default.  For Network Service to open application pools and worker processes that can impersonate for users, this right must be switched on.  So ask yourself these questions;

Do you have impersonation configured in your app?
Do you actually use the impersonation?(Turn it off to check)
Are you using rights from a windows DC to authenticate front-end users?

If you answered yes, maybe or probably to any of those, then you don't want to turn it off.

Cheers,
Tony.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
waforbes100Senior IT SpecialistAuthor Commented:
To Tonyenkiducx: this is exactly the information I needed. The answer was "yes" to all 3 of the determining questions posed. Many thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.