As mentioned above, authentication and authorization are discrete steps in determining the final response to be sent to the end user. The authorization process occurs after the user has been authenticated and involves determining if the user has access to the resource or not. Typically, the resources accessed are files on a hard disk (or possibly a database), and NTFS permissions are used to control access. Once the end user has been determined, NTFS permissions then determine if the user is able to access the resource in the requested way.
Depending on how the user authenticated, how IIS 8.0 is configured, and what type of resource the user is attempting to access, the actual user account being used is different!
The following table summarizes the common accounts used:
|Authentication Mechanism||User Account Being Used by IIS|
|Anonymous||IUSR for non-ASP.NET content. Application pool identity (Network Service) for ASP.NET content.|
|HTTP (Basic, Digest, NTLM, Kerberos)||End user for non-ASP.NET content. Application pool identity (Network Service) for ASP.NET content.|
|URL authorization||IUSR for non-ASP.NET content. Application pool identity (Network Service) for ASP.NET content.|
The IUSR account is used for non-ASP.NET content unless the Application Pool Identity option is configured. See “Configuring Anonymous Authentication” above in this chapter for more information on this setting.
Configuring NTFS permissions to permit (or deny) access can be done ...