IIS AppPool Permissions for SQL Server (Add NT AUTHORITY \ IUSR)

I have a fresh build of a server running Windows Server 2012 R2, IIS 8.5 (including ClassicASP feature), and SQL Server 2014 Express. I want to use Application Pool Identity to connect to database. The database is configured for "Windows Authentication Mode".

The id of my application pool is called activbase.net

. I created a security account in SQL Server called IIS AppPool\activbase.net

and the user mapped it to a database with db_datareader

and db_datawriter


However, when I try to access the database from the website, I get:

Unable to open database "ActivbaseLive" requested by login. Login failed.

I thought it was enough to make the connection work. Application log (Event Viewer) shows:

Login failed for user "NT AUTHORITY \ IUSR". Cause: The explicitly specified database "ActivbaseLive" could not be opened. [CUSTOMER:]


similarly to SQL Server> Security> Logins and Databases> [ActivbaseLive]> Security> Users and that fixes the problem.

My questions are:

  • Should I add NT AUTHORITY\IUSR

    login / user in addition to IIS AppPool\activbase.net

    login / user to the SQL Server instance and database?
  • Is there a security issue? (NOTE: this will be a production environment).

Thank you, Chris


source to share

1 answer

Not. You do not need to add a SQL Server login for identity NT AUTHORITY\IUSR

in addition to identity IIS AppPool\activbase.net

. Logging on to the application pool identity only is IIS AppPool\activbase.net

sufficient to connect to SQL Server using Windows authentication.


is the built-in Windows account that is used by default for authentication when Anonymous Authentication is enabled for your application . This page describes the rationale for the account.

To connect to a database with an ID IIS AppPool\activbase.net

, you need to change the account configured for anonymous users from NT AUTHORITY\IUSR

to your application pool ID IIS AppPool\activbase.net

. To make this change, follow these steps:

  1. Open Internet Information Services (IIS) Manager .
  2. In the Connections pane, find and click to select the website that hosts your application, such as Default Website. (If you want to customize a specific app on your website, you can select an app.)
  3. In the Features View in the center pane, double-click Authentication .
  4. Anonymous authentication will most likely be enabled in your setup. Right click on Anonymous Authentication and select Edit .
  5. In the Edit Anonymous Authentication Credentials dialog box , select the Application Pool ID option , and then click OK .

The question in the link below (and its answer) addresses the same problem:

Login failed for user NT AUTHORITY \ IUSR

Regarding your second question "Is there a security issue with this?", The answer is "Yes". It is advisable that the built-in account NT AUTHORITY\IUSR

does not have access to your SQL Server database as it is used as the default anonymous account on any other websites (and their applications) hosted on your IIS web server. This means that other websites and applications will be able to connect to your database. If they are compromised in an attack, they can be used to access your data. Therefore, it is best not to have a SQL Server login for NT AUTHORITY\IUSR

. Instead, restrict database access to your website's (or application's) application pool ID.



All Articles