授予对IIS APPPOOL \\ DefaultAppPool的数据库访问权限

Question

I have an ASP.NET application that uses Entity Framework running on IIS 7.5 and it needs to access (first create) the database, but I always get an exception Login failed for user 'IIS APPPOOL\\DefaultAppPool' .

I've already tried creating a login for that user in SQL Server Management Studio as many posts recommend, but it didn't help at all... I've added IIS APPPOOL\\DefaultAppPool login with Windows Authentication to the server Security>Login section, but I still see the exception when I load the website.

I've also tried creating a different app pool, moving my application to it and adding its name to login section of the database server but it didn't help too.

Ofcourse, if I set the identity of the DefaultAppPool to LocalSystem or NetworkService it successfully creates and accesses the database, but I don't want to use these identities for my app pool as they have high-level permissions and puts the server in a security risk...

Please advice me something. I'd like to know how to give my app pool permissions to access the database...

Answer 1

I don't know what exactly caused my problem, but I've found a solution myself.

Somehow IIS APPPOOL\\DefaultAppPool doesn't even need any additional permissions for the database server, it can connect to it even if its name is not included in the database's Logins section. Simply, the database it creates is somehow very tightly coupled with the IIS APPPOOL\\DefaultAppPool entity (whatever it actually is) AND, if you delete the database that belongs to IIS APPPOOL\\DefaultAppPool or any other pool and then try to create a new database with the same application pool, it acts as if the database wasn't actually deleted previously, but as if you were trying to access what's remaining from it with an account that didn't created it. Maybe it's not very easy to understand what I'm saying, but I think that the deletion of the database that belongs to an instance of an application pool not only deletes it, but also "unlinks" it from that pool and when you try to create a new database in the same application pool it just doesn't allow you, because you are "unlinked" from it, even if it doesn't even exist anymore. Maybe there still are some "links" in the database server, but they are not valid anymore, so the application pool is treated as something that tries to override the remainder of the database but doesn't have permissions to do it.

SO FINALLY THE FIX!!!

To fix this, just create a new application pool with a different name than the one that had previously created the database, move your application there and it'll work. I'm not sure if you can then create application pool with the same name and then create the database, but I guess yes. And, of course, restart IIS (I restart it through Internet Information Services (IIS) Manager ) after you create a new pool.

UPDATE!!!

Yes, I've just tested and now can confirm that you can create an application pool with the same name, but before this you have to delete it not only from IIS Manager's application pool's window but also from Users directory of your computer (where users' files are stored, ie C:\\Users) and then you can create a new pool with the same name.

It took me a long time to find out this strange behavior. I did it through lots of error and trial, so I'm happy to share it so that maybe someone one day will fix a similar problem faster than me.

Good luck guys!