Under Windows Server 2008 with ASP.NET 4.0 installed there is a whole slew of related user accounts, and I can't understand which one is which, how to they differ, and which one is REALLY the one that my app runs under. Here's a list:

• IIS_IUSRS
• IUSR
• DefaultAppPool
• ASP.NET v4.0
• NETWORK_SERVICE
• LOCAL SERVICE.

What is what?

This is a very good question and sadly many developers don't ask enough questions about IIS/ASP.NET security in the context of being a web developer and setting up IIS. So here goes....

To cover the identities listed:

IIS_IUSRS:

This is analogous to the old IIS6 IIS_WPG group. It's a built-in group with it's security configured such that any member of this group can act as an application pool identity.

IUSR:

This account is analogous to the old IUSR_<MACHINE_NAME> local account that was the default anonymous user for IIS5 and IIS6 websites (i.e. the one configured via the Directory Security tab of a site's properties).

For more information about IIS_IUSRS and IUSR see:

Understanding Built-In User and Group Accounts in IIS 7

DefaultAppPool:

If an application pool is configured to run using the Application Pool Identity feature then a "synthesised" account called IIS AppPool\<pool name> will be created on the fly to used as the pool identity. In this case there will be a synthesised account called IIS AppPool\DefaultAppPool created for the life time of the pool. If you delete the pool then this account will no longer exist. When applying permissions to files and folders these must be added using IIS AppPool\<pool name>. You also won't see these pool accounts in your computers User Manager. See the following for more information:

Application Pool Identities

ASP.NET v4.0: -

This will be the Application Pool Identity for the ASP.NET v4.0 Application Pool. See DefaultAppPool above.

NETWORK SERVICE: -

The NETWORK SERVICE account is a built-in identity introduced on Windows 2003. NETWORK SERVICE is a low privileged account under which you can run your application pools and websites. A website running in a Windows 2003 pool can still impersonate the site's anonymous account (IUSR_ or whatever you configured as the anonymous identity).

In ASP.NET prior to Windows 2008 you could have ASP.NET execute requests under the Application Pool account (usually NETWORK SERVICE). Alternatively you could configure ASP.NET to impersonate the site's anonymous account via the <identity impersonate="true" /> setting in web.config file locally (if that setting is locked then it would need to be done by an admin in the machine.config file).

Setting <identity impersonate="true"> is common in shared hosting environments where shared application pools are used (in conjunction with partial trust settings to prevent unwinding of the impersonated account).

In IIS7.x/ASP.NET impersonation control is now configured via the Authentication configuration feature of a site. So you can configure to run as the pool identity, IUSR or a specific custom anonymous account.

LOCAL SERVICE:

The LOCAL SERVICE account is a built-in account used by the service control manager. It has a minimum set of privileges on the local computer. It has a fairly limited scope of use:

LocalService Account

LOCAL SYSTEM:

You didn't ask about this one but I'm adding for completeness. This is a local built-in account. It has fairly extensive privileges and trust. You should never configure a website or application pool to run under this identity.

LocalSystem Account

In Practice:

In practice the preferred approach to securing a website (if the site gets its own application pool - which is the default for a new site in IIS7's MMC) is to run under Application Pool Identity. This means setting the site's Identity in its Application Pool's Advanced Settings to Application Pool Identity:

In the website you should then configure the Authentication feature:

Right click and edit the Anonymous Authentication entry:

Ensure that "Application pool identity" is selected:

When you come to apply file and folder permissions you grant the Application Pool identity whatever rights are required. For example if you are granting the application pool identity for the ASP.NET v4.0 pool permissions then you can either do this via Explorer:

Click the "Check Names" button:

Or you can do this using the ICACLS.EXE utility:

icacls c:\wwwroot\mysite /grant "IIS AppPool\ASP.NET v4.0":(CI)(OI)(M)

I hope this helps clear things up.

Hello There,

I am stuck with asp.net post issue with last 2 weeks.

Scenario:

My application page has 3 controls. A WYSIWYG editor (Free Textbox), a text box to get name of the article being edited in WYSIWYG editor, another text box to accept key words.

Order of the controls in page from top to bottom as follows,
first, Name text box
second, WYSIWYG Editor
last, Key Word text box

Problem:

When ever users tries to save their edited documents, IIS server returns time out (Production runs on win 2008). But interestingly, "Name text" box information and half of WYSIWYG Editor (its not exactly half, it varies for each case) information is saved to database. but last "keyword text" box is not saved. During this web server hangs for a while, kicks out the user and later after few mins back to normal speed. I think app pool is recycled. But all works fine on my development environment (in My PC runs on Win 7 64bit). Also i have set ValidateRequest="False" in page directive for Production and Development environment.

Environment:

Environment .NET 4.0, ASP.NET
FreeText box WYSIWYG editor
Shared Hosting windows 2008
SQL Server 2008

Tried solutions (but no breakthrough):

Tried with Different Browser Firefox, chrome, IE and same error.
Added ValidateRequest="False" in page directive and replaced WYSIWYG editor with plain text box and tried to save, same issue.
Just tried to log the post data directly from page.request object. Still getting full data for "Name textbox" half for WYSIWYG textbox and nothing for rest.
There is no issue on DB connection or table field. I have triple checked.

Possible Suspicions and Questions:

Based on my knowledge there is no limitation on post data length. but in IIS is it possible to override this ? wondering if this is set on my shared hosting.
Basically http post data gets truncated somewhere between browser and server.request object. What would be the reason if this is happening?
If http post is truncated why whole application hangs (or restarts)?
What are the precaution need to be taken when posting html content as http post?

Thank you.

New Finding:

Checked my post using httpfox. Post size was about 9958 bytes. But firefox sends first 330 bytes of data and then web page hangs. After about a minute, i am getting NS_ERROR_NET_RESET error code in httpfox.

Checked my post using filder2 with IE9. It tries to send first 512 bytes then hangs. Returns "ReadResponse() failed: The server did not return a response for this request."

Question:

This likely would be browser issue or server issue. I think if browser issue, this wont happen for IE and Firefox.

Update:

Most likely isolated the problem towards web hosting. Tested by changing form post url to different domain and see if values can be retrieved at that domain. Yes it works. Only it didn't work for my domain. Interestingly i tested this for normal html page post. it also didnt work. So most likely a security installed to prevent this or server misconfiguration. Already put a ticket to them and waiting.

Any how all of your feed back helped me to isolate the problem.

Solved:

Yes this issue was on our web hosting site. So far i heard from them is like some firewall blocking the big post from http. They said now our domain is white listed. Anyway, now its works. But this ate 2 weeks of my time, but it was good learning experience. Thanks guys for your help. Really appreciated.

I have face the same error on one web page. Its was very wired because if I was use proxy, the error go way, if I was called from my computer direct I have time out, and never go on.

After many checks I discover that the problem was with the very big viewstate !. How I find it: I save an html part of my page, as its rendered and start remove items from the html and make post, until I discover that the post continue when I cut down the viewstate post.

The solution was to disable viewstate on many non needed controls and compress+cut in smaller part the remaining viewstate post data.

You can google and find many ways to compress and cut the view state in parts.

Some articles:

http://msdn.microsoft.com/en-us/magazine/cc188774.aspx

how to cut it tutorial:
http://www.dotnetfunda.com/articles/article634-viewstate-patterns-in-aspnet-.aspx

how to compress it
http://www.hanselman.com/blog/ZippingCompressingViewStateInASPNET.aspx
http://www.codeproject.com/KB/viewstate/ViewStateCompression.aspx
http://www.google.com/search?hl=en&safe=off&q=asp.net+compress+viewstate&aq=f&aqi=g1g-b2&aql=f&oq=

Ps: In this demo page of the free TextBox that you use, the viewstate is huge ! and its even empty from text, imagine how big the viewstate can be if you actual have and text inside. Not so free - the cost is the huge viewstate.

Follow up

As Jeyara say on the comments below, final this was the error, a blocking of large post files by a firewall on the hosting server. So the error have to do with large post back data.

Can I have an ASP.MVC 3 application running in my site root (a simple CMS to provide MOST site content), and have it co-exist with additional ASP.Net apps (2 Web Forms apps and 1 MVC app) running in subfolders to provide more specialized functionality?

Example:

www.mycompany.com
/             // ASP.MVC 3 App goes here to handle 90% of our page content.
/store/       // Older web forms app to handle our online store.
/survey/      // Older web forms app to provide survey forms.
/locations/   // An ASP.MVC 3 app to render a map with site locations.

I wouldn't mind integrating the 'locations' MVC app with the CMS if necessary, but if they can be separate, it would simplify long term maintenance. Does the root application need to know about the others? (including the other projects as subprojects into the main MVC project in VS.2010?)

As for the 'store' and 'survey' Web Forms apps. They are running .Net 3.5, but we could recompile them to 4.0 if needed. Do the 'store' 'survey' and 'locations' folders need to be virtual folders mapped in with IIS?

Hopefully this example is simplified enough, to find out if it is possible (and how) to integrate applications together with ASP.MVC 3 running in the site root. I'm in a situation where the separate apps must share a domain and pretend to be 1 cohesive site. (They will all share the same HTML template)

Just mark those other applications as Applications in IIS and that will do.