What are the pro's and con's of using the built in App Pool Identity in IIS as opposed to specifying a Windows account?
For SQL Server if you want to connect from a .Net application using Windows Authentication I presume that if I use an App Pool Identity, I must associate this with a user in SQL Server or give that App Pool Identity access to by db?
Are App Pool Identities just added as convenience so that you dont have to set up accounts for your App Pools?
The built in account used is specific to the computer. If applications inside the app pool need to connect to other resources on the network (database servers, file shares, etc) then using a (windows) domain account may be a better option. When you specify a domain account you must ensure they have the correct file permissions set on the physical folders that IIS is using. In later operating systems - you can add this account to the IIS_IUSRS group to achieve the default permissions.
We have several application running on our intranet that use windows authentication. The way we handle this in our web.config is to specify our SQL connection string as follows:
<connectionStrings>
<add name="ConnectionStringName" connectionString="Data Source=ServerName;Initial Catalog=DatabaseName;Trusted_Connection=true" providerName="System.Data.SqlClient"/>
</connectionStrings>
Also in the web.config is the following:
<system.web>
<authentication mode="Windows"/>
<identity impersonate="true" username="Domain\Username" password="password"/>
</system.web>
Using a domain account allows you to manage the account in the same way you manage other users accounts. Down side here is that the username and password are included in plain text in the web config.
Hope this helps.
