2

I have an IIS 7.5 server with a number of applications in a single Application Pool. Some of these applications access a SQL Server 2008 R2 Filestream on a remote machine, on the same domain.

The application pool runs with ApplicationPoolIdentity identity, and everything works fine. Now I have the need to move a couple of these applications to a new Application Pool. The problem is, even if I create the new Application Pool with the same settings, I'm unable to access the FileStream and I get the infamous 'Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON''.

The problem is not the configuration of the SQL Server or of the machine IIS is running on, otherwise I wouldn't be able to access the server from the other pool. On the other side, the two pool seem to be configured identically. If I set the identity of the new pool to Network Service the error disappears.

What am I missing ?

Edit: I'd like to add that there is a single site running on IIS that run all the Applications and Application Pools. In the Authentication page of the site, all entries are disabled (ASP.NET Impersonation, Forms Authentication, Windows Authentication...), except for Anonymous Authentication. The application that run on the server are solely Web Services.

Marco Righele
  • 336
  • 3
  • 7
  • So you set the identity of the new application pool to Network Service and the issue is resolved? What is the identity of the main app pool currently? Another important thing to check is that the site is configured to run under the application pool identity under the Authentication module or it could be ignoring your appPool id setting and using its own there. – Brock Hensley May 16 '13 at 13:19
  • Yes, using Network Service as identity solves the issues. The main app pool runs under ApplicationPoolIdentity, and that is what puzzles me. The server has a single site that run all the applications and application pools. The authentications settings for the site are all set to disabled, except for Anonymous Authentication. – Marco Righele May 16 '13 at 14:05
  • Right click that anonymous authentication and Edit/View the settings. You can either "Use application pool identity" or something else, make sure it's using the application pool identity and it will use whatever ID you set at the app pool level (i.e. set app pool to run as NetworkService). – Brock Hensley May 16 '13 at 15:55
  • ApplicationPoolIdentity gets generated on the fly when the site is visited, and any remote network calls would be sent using the ID "Network Service" or the COMPUTER$ account. This is why setting the app pool to network service works as it has permissions to get your remote files. If you want to stay with applicationPoolIdentity (recommended) then you can grant the COMPUTER$ account access to the remote files if in a domain as the request will assume the computers identity. You can't add the applicationPoolIdentity to a remote server as its a local account. Instead create a static domain user – Brock Hensley May 16 '13 at 15:58
  • COMPUTER$ already has the necessary permissions: if I put the site on the original Application Pool, which runs as ApplicationPoolIdentity on the same machine and IIS server, everything works. So, to recap, I have two application pools on the same machine, on the same IIS server. The first is able to access the remote filestream when running as ApplicationPoolIdentity, the other one only when running as NETWORK SERVICE. My guess is that there is some difference in the configuration of the two, but I can see what (the _Advanced Settings_ page for the application pools shows no differences). – Marco Righele May 24 '13 at 15:26
  • Compare the sites anonymous authentication configuration sections, if the appPools are the same then its how the sites are configured to use the appPools. – Brock Hensley May 24 '13 at 18:28

0 Answers0