Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

IIS Authentication

Posted on 2013-01-24
5
Medium Priority
?
236 Views
Last Modified: 2013-01-28
Hi,

In IIS 7 there is section on Authentication.  By default for Anonymous Authentication, the user identify is set to IUSR

Whilst its set to this I get SQL access errors.

If I change it to 'Application pool identity' the error goes away.

The application pool identity is set to 'Localsystem'

Presumably this is working because IIS is located on the same machine as the development environment and I'm logged on as the Administrator.

What should be the correct settings?
0
Comment
Question by:andyw27
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 34

Accepted Solution

by:
Paul MacDonald earned 2000 total points
ID: 38814351
What's correct depends on what you're doing, but I recommend leaving the IIS user as IUSR_whatever, and specifying a user and password in your connection string to SQL Server.  This gives you much more control and better security.
0
 
LVL 29

Expert Comment

by:becraig
ID: 38814352
The best practice would be having a specific account which is updated periodically for set as your app pool identiy.

This gives you the option of being able to add additional privileges as your app matures as well as minimizes the risk of any malicious activity on your system.

Create an account in your domain - limit logon ability etc- grant that acct permission to sql as well as to any other directories your app needs to access.

Getting your template right for this acct can be a bit tedious at first but it is your safest bet, built in accounts are too easily compromised for app pool identities.
0
 

Author Comment

by:andyw27
ID: 38814518
does not that create a risk that anybody can any user can open the web.config and and see password?
0
 
LVL 29

Expert Comment

by:becraig
ID: 38814534
If someone (risky) has access to your server's systemxx directory the app pool password would be the least of your worries :~)
0
 

Author Comment

by:andyw27
ID: 38814577
fair point
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Periodically we have to update or add SSL certificates for customers. Depending upon your hosting plan you may be responsible for the installation and/or key generation. In the wake of Heartbleed many sites were forced to re-key. We will concen…
Lease-to-own eliminates the expenditure of hardware replacement and allows you to pay off the server over time. Usually, this is much cheaper than leasing servers. Think of lease-to-own as credit without interest.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question