From his ASP.NET Security Pre-Conference talk: Knowing the
default accounts under which the ASP.NET worker process is run
(ASPNET on IIS 5.0, Network Service on IIS 6.0) allows you to
set ACLs on resources that your application may need, so as to
allow ASP.NET to read, write, or take other actions on these
resources. You can also use the
element in machine.config to change the account under which
the ASP.NET worker process is run. Note that you should
always encrypt any passwords stored in machine.config (you
can use aspnet_setreg.exe utility to store credentials in
the registry and then refer to them from
machine.config...see
KB article #329290
for more details)
3 Comments
jeff should also mention this is different on a domain
controller. causes no end of confusion.
"jeff should also mention this is different on
a domain controller. causes no end of
confusion."
True, but running ASP.NET on a DC is not a best practice
at all, so my recommendation would be to re-think
running ASP.NET on a DC, rather than try to work out the
whole process identity thing in that case.
true. but i have worked with folks on www.asp.net for a
while before thinking of asking them, and they tell me
"sure, but what difference does that
make..."