Hey ~
The first thing I notice is that you are mixing two major topics:
a). Authentication
b). Process Identity
The process identity is the piece you are trying to set to use as a domain
account. The first thing to note - this is very possible, and can be done.
Second, your failure most likely has nothing to do with the account it is
running under. The easiest test is to ensure that you have proper ACL'ing
on the directory as this problem is failing because you have
misconfiguration in the authentication\authorization piece - NOT PROCESS
IDENTITY.
In fact, my guess is that when you receive the prompt for login you can fail
and still open task manager (taskmgr) and see that w3wp.exe is loaded. If
this is loaded, then process identity can be removed from the root cause all
together...
You have most likely failed to acl this correctly. The IIS_WPG or the
process identity does not need access to the content - in fact - it is a bad
idea. The reason being is that IIS_WPG will give too many rights because
process identity 1 (for app pool 1) will have access to site 2's content -
bad! The only ACL'ing you should have done is to create an anonymous
account (or use the default) for the site along with any user groups you
need for authenticated access and give them permission to the site... Also,
give the individual domain account being used as the process identity read
permission to the NTFS physical folder.
I would guess that your IIS logs should lead you to your answer - I bet you
are receiving 401.3 Access denied based on Access Control List....
Why do I make all the assumptions? Well, to understand what you are doing
is fairly simple... I like the bus analogy -
A bus (in this case, w3wp) only needs one driver, and only one. This driver
needs special skills granted to him\her (IIS_WPG) and this bus and bus
driver shuttles around all these passengers (in this case, threads which are
uniquely identified by a user token). The catch, the bus driver only lets
them on the bus if they correctly know the username\password - if they
don't - they don't ride the bus. So, you shouldn't be failing because the
domain account is the problem as he is checking the passengers on board...
HTH,
--
~Chris (MSFT)
IIS Supportability Lead
This posting is provided "AS IS" with no warranties, and confers no rights
"Ken Schaefer" <kenREMOVE.RemoveThis@THISadOpenStatic.com> wrote in message
news:u%23s%23SOTuDHA.2544@TK2MSFTNGP09.phx.gbl...
> a) Does the site start working if you enable Anonymous Access?
>
> b) Is there anything in the Windows Event Logs on either the local server,
> the server(s) you are connecting to, or the Domain Controllers (make sure
> you have auditing enabled for logon failures)?
>
> (You should be able to use a Domain Account as an App Pool Identity - I
have
> that working just fine here, so something else is up)
>
> Cheers
> Ken
>
>
> "Peter Kowalczyk" <anonymous.RemoveThis@discussions.microsoft.com> wrote in message
> news:032a01c3b924$a345fce0$a501280a@phx.gbl...
> : I'm trying to change the Default App Pool Identity in
> : IIS6 to an account that is not predefined. According to
> : the IIS administrator guide, all I need to do is add the
> : desired account to the local IIS_WPG group and make sure
> : all the web files have the proper ACL's. I've done that.
> :
> : FYI: My app is configured in IIS to require Integrated
> : security and impersonation is turned off.
> :
> : It works when I configure an account that I've created
> : locally as the app pool identity but I need to use a
> : domain account so that my app may access some resources
> : on other machines. When I configure a domain account the
> : exact same was as the local account, the site stops
> : working. Every request to the site prompts me for
> : credentials, and no matter what I type in my request is
> : denied.
> :
> : What do I have to do to be able to use a domain account
> : as an App Pool Identity in IIS?
>
><!-- ~MESSAGE_AFTER~ -->
>> Stay informed about: Using Domain Account as App Pool Identity... 
FAQ
Profile
Private Messages
Log in
