Which one should I use for "anonymous user identity"? "specific user: IUSR" or "application pool identity"?

In IIS Manager center pane, there is an icon titled "Authentication" as follows:

Clicking the icon, we get 3 items as follows:

Right clicking the Anonymous Authentication and select edit, we have:

Question: which one should I use? What is the dif开发者_如何学Cference?

You are basically choosing which will be the identity of the anonymous user. You can choose a specific user or you can choose the identity of the application pool. Which one to use depends on your application. If your application needs a specific user permissions or access then you can select that user, otherwise it is ok for it to use the app pool user. Without knowing what your application does it is hard to steer you one way or another.

"The identity of an application pool is the name of the account under which the application pool's worker process runs. By default, application pools operate under the Network Service account, which has low-level user access rights." A specific user is a user that you can set up yourself to specify which account your server will impersonate when users access your site. I would go with IUSR and give the account the necessary privileges.

app pool id

This advise usually works for IIS6, but I think the same applies to IIS7.

The process IIS uses to handle inbound requests is started by the OS and runs as IUSR_MachineName. This is a very low privileged account, that basicly can't do anything. Your request then gets passed to .Net which runs as another process (W3WP on IIS6) in a application pool. The app pool has an assigned identity, by default networkservice, which is a reasonably privileged account, it can for example make network connections, which other in-built account can't do. You can change the identity of the app pool to any account, but the account you choose will need certain OS privileges.

What does it all mean to you? Well use a NetworkService unless you have some unchangeable requirement otherwise. Do you need to read files say as a particular user? Ignore the IUSR account. It's way to low privileged unless you really want to lock your server down, but be prepared for lots of fiddling to get it working.

Simon

There are essentially 3 places in IIS 7 and above that manage users that run your site

App Pool Advanced Settings

You'll find in the application pool config area at the top of IIS Manager, then select the app pool you're using, then click Advanced Settings on the Action pane.

This is the user that launches the w3wp.exe process that runs each app. In general, this is where I suggest everyone configure their user and leave it at that. If using anything other than ASP.net Impersonation, this is the user that will connect to SQL Server when connecting under Trusted/Windows auth.

"Connect As" user

This can be found by selecting the site, or application and then clicking Basic Settings from the Action pane. It's also available when you create a site.

This is the user that is used only to connect to the files where the site is stored. For instance, if you keep them on a separate network share and need to provide a login just to access that.

Anonymous User

This is the user the asker is inquiring about. Notice how it's in the IIS section of the features pane. This is the user that IIS will pass to the application. If you're using Anonymous Authentication, then you are likely using a separate mechanism to handle logins (if at all).

In only one instance ever, did I even try to alter this and I think it was a PHP application that was using URL Rewrite a redirect to an image file and returning a 401 Unauthorized.