Problem: You wish to maintain anonymous access to a website, but configure it to run as a specific user.

Usage Scenario: You want to use a SQL connection string to access a database with a trusted connection.

For example, your connection string might look something like this:

connStr = “Provider=SQLOLEDB;Data Source=Server\MSSQLInstance;Initial Catalog=YourDatabase;Trusted_Connection=yes;”

This is an alternative to enabling SQL authentication and putting the username and password in your web code. That has its own risks. Microsoft has also been trying to get people to stop doing that for years. You must choose what security measures you wish to implement.

There are a couple of options available for you to do this. One method is to configure the website’s anonymous authentication attribute directly. The other is to create a new application pool, configure its identity to use the specified user for its identity, and then set up the website to use that application pool. Each one entails plugging a user account and password into IIS. “Pick your poison” is what my friend Eugene has to say about this.

The advantage of using an Application Pool would be if you wanted to set up multiple websites this way. It would be easier to maintain a central point of administration for the user account.

Option 1: Edit the website directly

1. Create a user account. (This should be a local account if possible. If you are doing this on a DC, then be sure to make a new security group that is not assigned explicit permissions to anything, set this group as the user’s primary group, and remove the user from the Domain Users group.)
2. Open IIS Admin.
3. Select the website.
4. Double-click the “Authentication” icon.
5. Select Anonymous Authentication.
6. Click the Edit link under Actions on the right-hand side.
7. Click the radio button for “Specific user” and the Set button.
8. Input the username/password you created earlier.
9. Click OK, and OK to close the dialog. You may need to restart the website for the changes to take effect.

Option 2: Use an Application Pool

1. Create a user account. (This should be a local account if possible. If you are doing this on a DC, then be sure to make a new security group that is not assigned explicit permissions to anything, set this group as the user’s primary group, and remove the user from the Domain Users group.)
2. Open IIS Admin.
3. Select Application Pools.
4. Click Add Application Pool in the Actions area on the right side.
5. Type a name for the Application Pool and click OK. 
6. Right-click your new Application Pool and choose Advanced Settings.
7. In the General area, select Managed Pipeline Mode, and select Classic from the list. (Leaving this set to “Integrated” will cause other integrated Application Pools to take on these changes.)
8. In the Process Model area, select the Identity attribute, and click the “…” button.
9. Click the radio button for “Custom account” and click the Set button.
10. Input the username/password you created earlier.
11. Click OK, and OK to close the dialog.
12. Click OK to close the Application Pool settings dialog.
13. You may need to recycle your Application Pool for the changes to take effect.
14. Select the website.
15. Double-click the “Authentication” icon.
16. Select Anonymous Authentication.
17. Click the Edit link under Actions on the right-hand side.
18. Click the radio button for “Application Pool Identity”.
19. Click OK to close the dialog. You may need to restart the website for the changes to take effect.

Tags: Application Pool Identity, IIS7, SQL Connectivity