Must IIS_WPG "Impersonate a client after authentication"?

Point of my Scenario:
1. I am admin of a Windows Server 2003 domain
2. A member server running Windows Server 2003 is implemented as an IIS web server
3. There is a configured user right that is assigned to the IIS_WPG account on the member server: "Impersonate a client after authentication". Administrators and SERVICE accounts are also assigned this user right.

QUESTION: Why does the IIS_WPG group need this user right?

REASON: I need to know if I can remove this group ( IIS_WPG) from the specified user right without breaking the web application/web service on this server. I will have to document documentation for retaining or removing this user right from the IIS_WPG group.
waforbes100Asked:
Who is Participating?
 
tonyenkiducxConnect With a Mentor Commented:
This is quite a complex question, and really depends on what you are doing with your web service/app.  But to explain how it works...

The IIS_WPG group(There is no IIS_WPG account as such) is assigned this right to allow pass-through authentication from clients when any program running under that group wants to handle impersonation for another user/account/group.  Network Service is the default account that runs IIS and it is part of the IIS_WPG group by default.  For Network Service to open application pools and worker processes that can impersonate for users, this right must be switched on.  So ask yourself these questions;

Do you have impersonation configured in your app?
Do you actually use the impersonation?(Turn it off to check)
Are you using rights from a windows DC to authenticate front-end users?

If you answered yes, maybe or probably to any of those, then you don't want to turn it off.

Cheers,
Tony.
0
 
r_panosConnect With a Mentor Commented:
IIS_WPG group membership provides the necessary user rights and permissions required to run an application. You MUST NOT delete it or alter it.

For more informations check the :

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/3648346f-e4f5-474b-86c7-5a86e85fa1ff.mspx?mfr=true
0
 
waforbes100Author Commented:
To Tonyenkiducx: this is exactly the information I needed. The answer was "yes" to all 3 of the determining questions posed. Many thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.