How to add the ApplicationPoolIdentity to a SQL Server Login
The ApplicationPoolIdentity is a virtual account in Windows that is dynamically generated when the application pools is created and takes on the name of the application pool in this manner: IIS Apppool\<name of application pool> . For instance, the application pool MyApp would have a virtual account created under the name IIS Apppool\MyApp when instantiated. Read here for more information about the ApplicationPoolIdentity and here for Windows virtual accounts.
Since Windows is creating a dynamic virtual account for the application pool, there is not set identity or Windows user account to assign to a SQL login for data access. This makes it difficult to assign the application pool to the SQL login. This blog post shows how to add a SQL login for local and a remote SQL Server to allow the applications hosted in an application pool to access the SQL Server.
Side note: The IIS authentication method, anonymous or Windows, will not make a difference on the access to the SQL Server. The security principle used to connect to the SQL Server is the one setup in the application pool configuration Identity.
On a local SQL Server, the login request will appear as the IIS application pool identity. For instance, if the application pool is called AuthTest, the login will appear as IIS Apppool\AuthTest.
On a remote SQL Server, the login request will appears as the machine name since the built in account is attempting to access SQL. For example, the server IIS01 will appear as domain\IIS01$ in a SQL trace.
To validate the connection to SQL, run a SQL trace with the Audit Login Failed and User Error Message events enabled and this will show the account attempting to access SQL. Or, check the SQL log files.
To Add the Account to SQL:
The steps are the same to add the login to SQL for a local or remote SQL Server. However, the identities are different depending on the server if SQL Server is installed locally or on a remote server.
For a local SQL Server:
- Open SQL Server Management Studio (SSMS) and connect to the SQL Server.
- Open the Security folder at the server level and not the security folder for the database.
- Right click on the logins and select New Login.
- For the login, type IIS APPPOOL\AppPoolName and DO NOT CLICK SEARCH and select OK (If a search is executed, it will resolve to an account with ServerName\AppPool Name and SQL will be unable to resolve the account’s SID since it is virtual)
- Select the defaults for the account and select OK to close dialog
The same can be accomplished using T-SQL:
CREATE LOGIN [IIS APPPOOL\AuthTest] FROM WINDOWS;
CREATE USER AuthTest FOR LOGIN [IIS APPPOOL\AuthTest];
For a remote SQL Server:
- Open SQL Server Management Studio (SSMS) and connect to the SQL Server.
- Open the Security folder at the server level and not the security folder for the database.
- Right click on the logins and select New Login.
- For the login, type Domain\ServerName$ and DO NOT CLICK SEARCH
- Select OK
- Select the defaults for the account and select OK to close dialog
Using T-SQL:
CREATE LOGIN [computername$] FROM WINDOWS;
web.config SET integrated security=SSPI;
最新文章
- FTP地址格式如下:“ftp://用户名:密码@FTP服务器IP”
- uva-327
- [ACM_动态规划] Palindrome
- AWS系列之二 使用EC2
- elasticsearch的服务器响应异常及应对策略
- [转]SRTM、ASTER GDEM等全球数字高程数据(DEM)下载方式简介
- Caffe-windows上训练自己的数据
- 【poj3243-Clever Y】高次同余方程-拓展BabyStepGiantStep
- Daily Query
- 队爷的新书 CH Round #59 - OrzCC杯NOIP模拟赛day1
- stm32开发笔记一:使用固件库在RealView-MDK中新建工程(上)
- jquery第三期:js与jquery对象转换
- HttpRuntime详解分析
- [NOI2017]游戏(2-SAT)
- Watto and Mechanism CodeForces - 514C (字典树,哈希)
- web-day11
- Java 8 – How to format LocalDateTime
- C# 通过调用Win32 API函数清除浏览器缓存和cookie
- The Bells are Ringing UVALive - 4060(枚举求解)
- js实现trim() JS去掉首尾空格 JS去掉两头空格