Professional Microsoft IIS 8
by Kenneth Schaefer, Jeff Cochran, Scott Forsyth, Dennis Glendenning, Benjamin Perkins
Configuring Authorization
As mentioned above, authentication and authorization are discrete steps in determining the final response to be sent to the end user. The authorization process occurs after the user has been authenticated and involves determining if the user has access to the resource or not. Typically, the resources accessed are files on a hard disk (or possibly a database), and NTFS permissions are used to control access. Once the end user has been determined, NTFS permissions then determine if the user is able to access the resource in the requested way.
Depending on how the user authenticated, how IIS 8.0 is configured, and what type of resource the user is attempting to access, the actual user account being used is different!
The following table summarizes the common accounts used:
| Authentication Mechanism | User Account Being Used by IIS |
| Anonymous | IUSR for non-ASP.NET content. Application pool identity (Network Service) for ASP.NET content. |
| HTTP (Basic, Digest, NTLM, Kerberos) | End user for non-ASP.NET content. Application pool identity (Network Service) for ASP.NET content. |
| URL authorization | IUSR for non-ASP.NET content. Application pool identity (Network Service) for ASP.NET content. |
The IUSR account is used for non-ASP.NET content unless the Application Pool Identity option is configured. See “Configuring Anonymous Authentication” above in this chapter for more information on this setting.
Configuring NTFS permissions to permit (or deny) access can be done ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access