I have an ASP.NET application that, among other things, is scraping another web site. I'm using a headless System.Windows.Forms.WebBrowser control in an STA thread, using Navigate(), handling the DocumentCompleted event, yada, yada. The WebBrowser control navigates to the remote site's login page (which uses javascript to fiddle with the DOM, thus the need for WebBrowser). I set the UserID and Password fields then I call WebBrowser.Document.All["submit"].InvokeMethod("click").
On my development box running Windows 7 and IIS 7.5, this behaves as expected. The next time DocumentCompleted fires, it's clear that I've successfully logged in and I go smartly about my business. On my Rackspace production server however, running "Windows Server 2008 Enterprise without Hyper-V" and IIS 7.0, it was failing: On that box, the next time DocumentCompleted fired, I would find that I'd received the remote site's "You've been logged out." page.
I tried adding the remote site to the Trusted Sites list, and disabling IE ESC for Administrators and Users, to no avail.
I finally managed to achieve the desired behavior -- the behavior I'd seen in my development environment -- by running this app in a special application pool whose identity I had set to Administrator. But I don't want to leave it that way.
What is the least privileged identity, or the minimum set of permission(s) sufficient on the application pool to allow this headless STA WebBrowser to properly browse this javascript-dependent remote site?
