IIS AppPool Permissions for SQL Server (Add NT AUTHORITY \ IUSR)
I have a fresh build of a server running Windows Server 2012 R2, IIS 8.5 (including ClassicASP feature), and SQL Server 2014 Express. I want to use Application Pool Identity to connect to database. The database is configured for "Windows Authentication Mode".
The id of my application pool is called activbase.net
. I created a security account in SQL Server called IIS AppPool\activbase.net
and the user mapped it to a database with db_datareader
and db_datawriter
access.
However, when I try to access the database from the website, I get:
Unable to open database "ActivbaseLive" requested by login. Login failed.
I thought it was enough to make the connection work. Application log (Event Viewer) shows:
Login failed for user "NT AUTHORITY \ IUSR". Cause: The explicitly specified database "ActivbaseLive" could not be opened. [CUSTOMER:]
So I added NT AUTHORITY\IUSR
similarly to SQL Server> Security> Logins and Databases> [ActivbaseLive]> Security> Users and that fixes the problem.
My questions are:
- Should I add
NT AUTHORITY\IUSR
login / user in addition toIIS AppPool\activbase.net
login / user to the SQL Server instance and database? - Is there a security issue? (NOTE: this will be a production environment).
Thank you, Chris
source to share
Not. You do not need to add a SQL Server login for identity NT AUTHORITY\IUSR
in addition to identity IIS AppPool\activbase.net
. Logging on to the application pool identity only is IIS AppPool\activbase.net
sufficient to connect to SQL Server using Windows authentication.
NT AUTHORITY\IUSR
is the built-in Windows account that is used by default for authentication when Anonymous Authentication is enabled for your application . This page describes the rationale for the account.
To connect to a database with an ID IIS AppPool\activbase.net
, you need to change the account configured for anonymous users from NT AUTHORITY\IUSR
to your application pool ID IIS AppPool\activbase.net
. To make this change, follow these steps:
- Open Internet Information Services (IIS) Manager .
- In the Connections pane, find and click to select the website that hosts your application, such as Default Website. (If you want to customize a specific app on your website, you can select an app.)
- In the Features View in the center pane, double-click Authentication .
- Anonymous authentication will most likely be enabled in your setup. Right click on Anonymous Authentication and select Edit .
- In the Edit Anonymous Authentication Credentials dialog box , select the Application Pool ID option , and then click OK .
The question in the link below (and its answer) addresses the same problem:
Login failed for user NT AUTHORITY \ IUSR
Regarding your second question "Is there a security issue with this?", The answer is "Yes". It is advisable that the built-in account NT AUTHORITY\IUSR
does not have access to your SQL Server database as it is used as the default anonymous account on any other websites (and their applications) hosted on your IIS web server. This means that other websites and applications will be able to connect to your database. If they are compromised in an attack, they can be used to access your data. Therefore, it is best not to have a SQL Server login for NT AUTHORITY\IUSR
. Instead, restrict database access to your website's (or application's) application pool ID.
source to share