I woke up early this morning and couldn’t get back to sleep, so I got to work early and tried to finish up a side project before my “regular” day began. I’m currently working on an internal web app that ties into multiple domain servers, and I quickly realized I needed to configure the web application pool to run as a domain user account. This proved much more involved than I ever thought possible.
Luckily I came across a blog post that explained the process, which did work properly. For higher visibility and distributed backup purposes I’m re-posting the content (with some minor edits) here:
While the answers are around already, the simplified listing of what to do when you create a user in your domain to run an IIS 6.0 application pool on Windows Server 2003 is:
1. Add the user to the IIS_WPG group on the web application server.
2. Run aspnet_regiis with the -ga flag and the domain qualified user name (ie. MyDomain\TheUser). This gives the app pool user the ability to read and write from appropriate files, etc. I thought this would be accomplished by adding the user to the group above, but it didn’t work until I had completed both of these steps.
3. Run setspn on the domain controller (you’ll need to have the toolkit installed) with the -A flag, the protocol name ‘HTTP’, the application server name (ie. HTTP/myAppServer), and a second argument for the domain qualified username (ie. MyDomain\TheUser). All together that is ‘setspn -A HTTP/MyAppServer MyDomain\TheUser’. It is also recommended that you run the same command again, but with the fully qualified name of the app server.
Some security minded folks will tell you that you shouldn’t actually do this anyhow, but if you must this set of instructions will allow you to use a user with minimum permissions. Just make sure this user is not used for anything else – thus limiting the potential the user will have an increasing permission set over time that no one can remember.
