Revealed: the Identity of the ApplicationPoolIdentity

While setting up a new mojoPortal site I tried our running the application pool with the identity “ApplicationPoolIdentity”. Previously we have tended to create a specific user account for each site (with each site running in its own app pool). An advantage of that approach was that we could see in Task Manager what CPU and memory was being used by each site, because the the w3wp.exe process showed as the specific user account. When switched to run as ApplicationPoolIdentity, the process appears to run as a user named the same as the application pool, so all good there.

Aside: the problem with running an application pool under its own user account is that MapServer CGI will not run within the site – I’ve no idea why, though it must be a permissions issue. When the app pool runs as ApplicationPoolIdentity then MapServer works fine.

As you’ll see from a previous post about how to install a mojoPortal site, it is necessary to secure the web site folders. When I came to do this I found there was no user account called ApplicationPoolIdentity, and no user with the name of the application pool either.


It turns out there is a virtual user account, and it can be entered as

IIS APPPOOL\ApplicationPoolName  (obviously replacing ApplicationPoolName as appropriate):


Folder permissions can then be granted/revoked for this user.


Crispin Flower

re: Revealed: the Identity of the ApplicationPoolIdentity

14 June 2012

This may only apply to IIS7.5, as I've found that behaviour is different on IIS7.0. The virtual account "IIS APPPOOL\ApplicationPoolName" appears not to exist, so I'm not sure how to set ACLs for the ApplicationPoolIdentity. Therefore I've had to stick with NETWORK SERVICE and a specifically creater user account for sites in IIS7.0.

Some time later: I've discovered that the ApplicationPoolIdentify virtual accounts do exist in IIS 7.0 on Server 2008, but the folder/file permissions GUI cannot see them, and reports an error when you enter the name and click "Check Names". This is a Server 2008 bug ("limitation"!), as noted in the nether regions of this thread. You can still use the ApplicationPoolIdentity and set permissions using the Icacls command line tool: but you may well conclude that life is too short and revert to using NETWORK SERVICE.

Comments are closed on this post.
Find out more