为IIS APPPOOL创建SQL Server登录 - 在不同的计算机上创建IIS和SQL Server

Question

I've searched thoroughly- apologies in advance if I am missing an obvious answer. Followed the recommendations at link below and the solution did not work. The solution also does not indicate whether it applies to a production webserver running IIS and SQL Server on separate computers. Add IIS 7 AppPool Identities as SQL Server Logons

Microsoft link below does not provide specific syntax for creating a SQL Server Windows Login: http://www.iis.net/learn/manage/configuring-security/application-pool-identities

Our goal is to securely deploy a ASP.NET 4.0 web application to the public on a Server 2008 R2 computer running IIS 7.5 in our production environment. As per best practices, we have SQL Server 2008 running on a separate computer in the same domain. We want to use SQL Sever Windows Authentication without impersonation to allow the ASP.NET application on the IIS box and SQL Server to communicate. Currently a SQL Server login connection string allows the .NET app to connect to SQL Server but we want to upgrade the connection string to be a Windows SQL Server login to be more secure.

On IIS 7.5 we've configured an Application Pool for the website. Under Application Pool advanced setting, Built-In Account have tried using both ApplicationPoolIdentity and Network service without success. Best practice is said to be to use ApplicationPoolIdentity for tighter security.

The step that fails is creating a SQL Server Windows login.

We've followed the following steps per the first link:

1. In SQL Server Management Studio, look for the Security folder (the security folder at the same level as the Databases, Server Objects, etc. folders...not the security folder within each individual database)

2. Right click logins and select "New Login"

3. In the Login name field, type IIS APPPOOL\\YourAppPoolName - do not click search

4. Fill whatever other values you like (ie, authentication type, default database, etc.)

5. Click OK

Can you please tell me with IIS 7.5 and SQL Server being on separate boxes, what syntax I need to use to create the SQL Server Window Login?

I have tried: " mydomain\\machine1$\\IIS APPPOOL\\MyAppPoolName " many times without success.
Error message is: " Windows NT User or group IIS APPPOOL\\MyAppPoolName can not be found "

I have used the network name of the webserver in place of machine1 (along with the actual app pool name, and domain name).

Thanks in advance for your help.

PS It would be great if Microsoft provided a step by step tutorial on how to accomplish this common and what should be easy task. Your answers here on StackOverFlow will help many people :)

Answer 1

One solution to your problem would be to set up a separate (not built-in) account for the application pool. You could give that account minimal rights and also give the access to SQL Server.

This way you could use a domain account which is easy to set up but still control security tightly.

Answer 2

I know this question is old, but since I suffered till I got it work, I'd like to share my experience to answer this question.

The steps you have followed worked with me, except :

3- The account you need to add to sql server logins is mydomain\\machine1$ not mydomain\\machine1$\\IIS APPPOOL\\MyAppPoolName

4- leave every thing in general settings page as defaults (actually, you need to make sure you are using windows authentication).

Then Go to User Mappings | select the database you want your application to access | grant it whatever permissions you want. For example, give it db_datareader & db_datawriter permissions.

5- Click OK to save.

But be ware that all applications using virtual accounts from same machine will be able to access this database.