I'm trying to move an old internal web site into its own app pool run by its own service account, so that I can get finer-grained control over its permissions and such.
The site is set up to use NTLM authentication and it's not quite large enough for me to want to bother setting up Kerberos. The NTLM auth works fine under the old, default app pool, but when I moved the site to the new app pool and set the Identity to be that of the service account, any attempt to load the page would result in three login prompts followed by a 401.1 error (basically, what gets described here, except that Kerberos shouldn't be involved anywhere).
The service account is in the IIS_WPG group. I checked to make sure that the service account and the user trying to acecss the site both had access to the site's directory, and they do (both have read/execute, write, list contents, and modify). I also turned on Anonymous Access and was able to load the site that way (I then turned it back off for further testing).
Out of curiosity, I tried setting the app pool back to the default account and tried again without changing any other settings. This time it worked just fine--the user was seamlessly and correctly authenticated by the site without any issues. Naturally, this confuses me a little, since I didn't change any other settings.
Are there some permissions inherent to the default IIS account that would allow this? Is there a permission I need added to my service account so that it can authenticate users with Active Directory?
