IIS AppPool Permissions for SQL Server (Add NT AUTHORITY \ IUSR)
I have a fresh build of a server running Windows Server 2012 R2, IIS 8.5 (including ClassicASP feature), and SQL Server 2014 Express. I want to use Application Pool Identity to connect to database. The database is configured for "Windows Authentication Mode".
The id of my application pool is called
. I created a security account in SQL Server called
and the user mapped it to a database with
However, when I try to access the database from the website, I get:
Unable to open database "ActivbaseLive" requested by login. Login failed.
I thought it was enough to make the connection work. Application log (Event Viewer) shows:
Login failed for user "NT AUTHORITY \ IUSR". Cause: The explicitly specified database "ActivbaseLive" could not be opened. [CUSTOMER:]
So I added
similarly to SQL Server> Security> Logins and Databases> [ActivbaseLive]> Security> Users and that fixes the problem.
My questions are:
- Should I add
login / user in addition to
login / user to the SQL Server instance and database?
- Is there a security issue? (NOTE: this will be a production environment).
Thank you, Chris
source to share
Not. You do not need to add a SQL Server login for identity
in addition to identity
. Logging on to the application pool identity only is
sufficient to connect to SQL Server using Windows authentication.
is the built-in Windows account that is used by default for authentication when Anonymous Authentication is enabled for your application . This page describes the rationale for the account.
To connect to a database with an ID
, you need to change the account configured for anonymous users from
to your application pool ID
. To make this change, follow these steps:
- Open Internet Information Services (IIS) Manager .
- In the Connections pane, find and click to select the website that hosts your application, such as Default Website. (If you want to customize a specific app on your website, you can select an app.)
- In the Features View in the center pane, double-click Authentication .
- Anonymous authentication will most likely be enabled in your setup. Right click on Anonymous Authentication and select Edit .
- In the Edit Anonymous Authentication Credentials dialog box , select the Application Pool ID option , and then click OK .
The question in the link below (and its answer) addresses the same problem:
Regarding your second question "Is there a security issue with this?", The answer is "Yes". It is advisable that the built-in account
does not have access to your SQL Server database as it is used as the default anonymous account on any other websites (and their applications) hosted on your IIS web server. This means that other websites and applications will be able to connect to your database. If they are compromised in an attack, they can be used to access your data. Therefore, it is best not to have a SQL Server login for
. Instead, restrict database access to your website's (or application's) application pool ID.
source to share