Application Pool Identity and Integrated Security

To enhance security and simplify configuration and maintenance, Anthology Student will use (by default) application pool identity and integrated security to access local and network resources such as SQL Server.

Application Pool Identity

Application pool identity was introduced in Service Pack 2 (SP2) of Windows Server 2008. An application pool identity allows you to run an IIS application pool under a unique account without having to create and manage domain or local accounts. This unique account is ideal for running web applications as it has limited access to resources, uses the machine account which cannot be impersonated, and does not require you to store passwords within configuration files.

When using application pool identity, local resources are accessed using the identity of the application pool (e.g., IIS AppPool\DefaultAppPool) and network resources are accessed using the identity of the machine account (e.g., CMC\WebServer1$).

ApplicationPoolIdentity  is the Microsoft recommended (and default) identity for IIS application pools. For more information on application pool identity and how to secure local and network resources, please read Application Pool Identities on iis.net.

Integrated Security

Integrated security uses the identity that is executing the process to authenticate against SQL Server. Integrated security is more secure than SQL Server authentication as it does not require credentials to be present within the database connection string. When using application pool identity with integrated security, connections to SQL Server use the identity of the application pool or machine account.

SQL Server Authentication

Data Source=Server01; Initial Catalog=CampusVue; User ID=username; Password=password

Integrated Security

Data Source=Server01; Initial Catalog=CampusVue; Integrated Security=True

Application Pool Identity for Anthology Student

  • By default, ApplicationPoolIdentity  will be the identity used by the application pool (CampusNexusStudentAppPool).

  • By default, all connection strings within the web.config will use integrated security.

It is a common and recommended practice to use an Active Directory group to maintain the list of application servers that have access to the database. This allows you to associate resource access to the group as a whole rather than each individual application server.

To authorize a web server’s access to the SQL server:

  1. On the server that hosts the SQL database for Anthology Student, open Microsoft SQL Server Management Studio.

  2. Connect to the database and in Object Explorer navigate to Security.

  3. Right-click Logins and select 'New Login...'.

    Security > New Login

  4. Grant access to the SQL server to CampusNexusStudentAppPool.

    • If SQL Server is running on a different machine than the web server (most common):

      In the Login name field of the Login - New window, add Server Name$. (Do no click Search.)

      Domain\ServerName$

      For example:

      CMC\WebServer1$
      Login - New

    • If SQL Server is running on the same machine as the web server:

      Add the application pool account to the database:

      IIS AppPool\appPoolName

      For example:

      IIS AppPool\CampusNexusStudentAppPool

  5. Make sure to give DB_Owner access to the Anthology Student database.