CampusNexus Student Web Client – Application Pool Identity

Overview

In order to enhance security and simplify configuration and maintenance, the CampusNexus Student Web Client will use (by default) application pool identity and integrated security to access local and network resources such as SQL Server.

Application Pool Identity

Application pool identity is a feature that was introduced in Service Pack 2 (SP2) of Windows Server 2008. An application pool identity allows you to run an IIS application pool under a unique account without having to create and manage domain or local accounts. This unique account is ideal for running web applications as it has limited access to resources, uses the machine account which cannot be impersonated, and does not require you to store passwords within configuration files.

When using application pool identity, local resources are accessed using the identity of the application pool (e.g. IIS AppPool\DefaultAppPool) and network resources are accessed using the identity of the machine account (e.g. CMC\WebServer1$).

ApplicationPoolIdentity is the Microsoft recommended (and default) identity for IIS application pools. For more information on application pool identity and how to secure local and network resources, please read Application Pool Identities on iis.net.

Integrated Security

Integrated security uses the identity that is executing the process to authenticate against SQL Server. Integrated security is more secure than SQL Server authentication as it does not require credentials to be present within the database connection string. When using application pool identity with integrated security, connections to SQL Server use the identity of the application pool or machine account.

SQL Server Authentication

Integrated Security

 

What this Means for the CampusNexus Student Web Client

  • By default, ApplicationPoolIdentity will be the identity used by the application pool.
  • By default, all connection strings within the web.config will use integrated security.

To authorize a web server’s access to SQL Server:
If SQL Server is running on a different machine than the web server (most common):
Grant the machine account access to the Database:

For example:

If SQL Server is running on the same machine as the web server:
Grant the application pool account to the Database:

For example:

It is a common and recommended practice to use an Active Directory group to maintain the list of application servers that have access to the Database. This allows you to associate resource access to the group as a whole rather than each individual application server.

Leave a Reply

Skip to toolbar