IIS 6 Network Service Account vs. IIS 5 IWAM_<MachineName>

[Tyler]

I have recently moved our company's intranet website from a Windows 2000
server to a Windows 2003 server. Previously, we had setup the permissions
so that the IWAM_<MachineName> account could access files in a share on
another server. Now that I have moved to W2K3, I am not sure what I need to
do to establish the same functionality as the IWAM_ account does not exist.

Can anyone provide me with some good information on this topic or point me
to some good resources?

Thanks, Tyler

[XYZ]

You can add the <network service> account .

[Scotter]

You can add IWAM_machinename this way.
Right click on the folder you want to give these permissions to and go to
the "Security" (or Permissions?) tab just like you did in IIS5. Click the
button to add a user. You won't see IWAM_machinename in your list of users
but you can still add it by typing it in the box and it will understand and
add it for you.

"Tyler" <ty...@work.com> wrote in message
news:O32E1ClU...@tk2msftngp13.phx.gbl...

[WenJun Zhang[msft]]

Tyler,

If you can see the Application Pool folder in the Win2K3 IIS6 mmc,
then it means your IIS6 are running in worker process isolation mode.
In this case, NETWORK SERVICE is the default process identity which
replaces IWAM. So you'd grant NETWORK SERVICE accont with the proper
permission other than IWAM.

If there isn't the Application Pool folder, IIS6 is running in IIS5.0
isolation mode, which still works with IWAM and dllhost. You can
grant IWAM with the permission like before.

Best regards,

WenJun Zhang
Microsoft Online Support
This posting is provided "AS IS" with no warranties, and confers no
rights.
Get Secure! - www.microsoft.com/security

[Tyler]

I can see the Application Pool folder, so my site is running in 'worker
process isolation mode'.

I know that I need to grant the NETWORK SERVICE account on the web server
access to the share on the other server, but my question is how do I do this
when each machine has a NETWORK SERVICE account and neither NETWORK SERVICE
account is a domain account? Am I missing something obvious here?

For example, when I am modifying share permissions and browse to select the
accounts to provide access, I cannot specify the web server's NETWORK
SERVICE account. As well, on my other server, I assume I must specify that
the web server's NETWORK SERVICE can 'Access this computer from the
network' - I cannot figure out how to do that either.

Your assistance is greatly appreciated,

Thanks, Tyler

""WenJun Zhang[msft]"" <v-wz...@online.microsoft.com> wrote in message
news:D3eonupU...@cpmsftngxa10.phx.gbl...

[WenJun Zhang[msft]]

Hi Tyler,

You can create a new domain account and set it as this application
pools's identity. Then grant this domain account with appropriate
permission on the remote share. If the boxes are not in a domain
enviornment, you'd create two local accounts on each machine with the
same username and password.

To make the new account has proper permission to act as an IIS
AppPool ID, please add it to IIS_WPG group and refer to the following
article to grant it with additional group policy permissions which
NETWORK SERVICE has:

INFO: Default Permissions and User Rights for IIS 6.0
http://support.microsoft.com/?id=812614

Also, please note when you set the account in Application Pool's
properties, you must type the account's password twice. The UI will
not auto verify the password and if it's incorrect, you will get
Service Unavailable error everywhere.

Please feel free to let me know if you meet any problem.

[Tyler]

That looks very helpful - thank you very much! If I encounter any problems,
I will let you know.

Best regards,
Tyler

[WenJun Zhang[msft]]

You are welcome. :-)

[Oleg]

I have the same problem after upgrading to IIS6. I don't see application pool in IIS manager. How can I reconfigure isolation mode for IIS6 in order to use application pool?

Thank you in advance.