Which Identity option in IIS' Application Pool is considered best

Question

Currently all of our web apps have their Application Pool Identity set to ApplicationPoolIdentity. Now, When an app needs to access some resources on some some server, say, add/read some file, the app performs impersonation in code to a user that has permissions to do this stuff. But now, we are contemplating to create a specific user for each app, and set its app pool identity to its specific new user. But I have noticed in the Advanced Settings dialog that Microsoft recommends to use the application pool identity, as shown in the following image:

Why does Microsoft recommends to use this identity, and is using a specific user is not best practice or a wrong move?

thanks,
ashilon

Answer 1

ApplicationPoolIdentity uses a concept called Virtual Accounts and is implemented to have App Pool isolation.This blog explains in detail about that .

ApplicationPoolIdentity is the recommended approach to have proper isolation between each website/application pool in IIS7+ onwards.So you can have code or files running for one website or app which cannot be accessed by no one else.

But for your scenario where you need to access resource on another server,When you use ApplicationPoolIdentity it uses the Machine identity only always.So the best approach is to use managed service account

Managed Service Accounts are a great way to manage Services that need network access. Let Windows take care of passwords and SPNs for you

Please find more information here ,here

But this has problem as only one managed service account can be assigned to one Server.Even with Application Pool identity,it will be using the $machineaccount to access network resources.

If network resources you have to isolate for each website/application,then your only way to create the separate User Account for each Websites and manage that.

Hope this helps!