Microsoft & .NETASPIIS and ASP.NET: The Application Pool

IIS and ASP.NET: The Application Pool

Developer.com content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

In this part, we will take a look at one of the new features in IIS 6.0, named Application Pool, and demonstrate the use of application pools in isolating ASP.NET Web applications, thereby increasing the reliability of your ASP.NET Web applications. Then, we also will explore how these application pools affect ASP.NET applications in terms of the identity that is used to run your ASP.NET applications. Along the way, we will also look at the steps to be followed for creating application pools and assigning ASP.NET applications to run under a specific application pool. Finally, we will illustrate how to configure an application pool to run using the credentials of a specific user account.

What is an Application Pool?

An Application Pool can contain one or more applications and allows us to configure a level of isolation between different Web applications. For example, if you want to isolate all the Web applications running in the same computer, you can do this by creating a separate application pool for every Web application and placing them in their corresponding application pool. Because each application pool runs in its own worker process, errors in one application pool will not affect the applications running in other application pools. Deploying applications in application pools is a primary advantage of running IIS 6.0 in worker process isolation mode because you can customize the application pools to achieve the degree of application isolation that you need.

When you configure application pools for optimum availability, you also should consider how to configure application pools for application security. For example, you might need to create separate application pools for applications that require a high level of security, while allowing applications that require a lower level of security to share the same application pool. In the later part of this article, we will see how to configure identities at the application pool level.

Creating a new Application Pool

Creating a new application pool is a very simple process that is carried out by using the IIS manager. When you create a new application pool, you have the following two options:

  1. You can either create a new application pool from scratch or
  2. You can create a new application by importing the configuration settings from an external XML file

To create a new application pool from scratch, right-click on the Application Pools node from the tree view and select New->Application Pool from the context menu. You will be presented with the following screen, where you need to enter a name for the application pool.

When creating a new application, you also have the option of inheriting the settings from an existing application pool. For example, if you want your new application pool to inherit the settings from the DefaultAppPool, you can do that by selecting the option Use existing application pool as a template in the above screen. After you pick this option, the Application Pool name dropdown box will be enabled from where you can select an existing application pool.

After the pool is created, you can save the settings of the application pool to an external XML file any time by right-clicking the application pool and selecting the option All Tasks->Save Configuration to a File that is available from the context menu. This is an extremely useful feature that makes it possible for you to easily recreate the same application pool on the same server or on a different server with minimal effort.

Configuring Identity for ASP.NET Web Applications

In previous versions of IIS, worker processes ran as LocalSystem, a powerful account that has system administrator privileges on the server. Because LocalSystem has access to almost all resources on the operating system, this caused security implications. As mentioned previously, in IIS 6.0, you can set the identity of the worker process at the application pool level. The identity of an application pool is the account under which the application pool’s worker process runs. By default, application pools operate under the NetworkService account, which has low-level user access rights. The NetworkService account has the following seven privileges:

  • Adjust memory quotas for a process
  • Generate security audits
  • Log on as a service
  • Replace process level token
  • Impersonate a client after authentication
  • Allow logon locally
  • Access this computer from the network

By running the worker process using a very low-privileged account such as NetworkService, you can reduce the security vulnerability. However, by using IIS manager, you can configure the application pool to run as any of the following pre-defined accounts:

  • NetworkService
  • LocalSystem
  • LocalService

To configure identity for an application pool, right-click the application pool and select Properties from the context menu. In the Properties dialog box, select the Identity tab and you will see the following screen.

In the above dialog box, when you select the Predefined option, you can select any of the pre-defined accounts from the dropdown box. Instead of using a pre-defined account, if you want your application pool to run under a different account, select the Configurable option and then set the User name and Password in the textboxes. This approach is particularly useful especially when you are running multiple applications or sites on one Web server. For example, if an ISP hosts two companies—who may even be competitors—on one Web server, it has to guarantee that these two applications run in isolation from each other. More importantly, the ISP has to make sure that a malicious administrator for one application can’t access the data of the other application. You can accomplish this level of isolation by using the configurable worker process identity.

Configuring Identity for an Application Pool

Learn ASP & ASP.NET and Start your Free Trial today!

To demonstrate how to configure the identity for an application pool and how ASP.NET uses that identity information at the execution time, we will create a very simple ASP.NET application. We will start off by creating a new ASP.NET application named IdentityExample by using the New Project dialog box in Visual Studio.NET. After the project is created, if you open up IIS manager, you will find that the IdentityExample project is created in the default application pool named DefaultAppPool.

Now, let us add the following lines of code to the Page_Load event of the default Web form WebForm1.aspx.

private void

 Page_Load(

object

 sender, System.EventArgs e)
{
  Response.Write(
   "ASP.NET application executes using the
           identity :: <b>" +
    WindowsIdentity.GetCurrent().Name + 
         "</b><br>");
}

As you can see from the above code, we simply display the name of the account that the ASP.NET Web application uses to process the service. If you execute thise code by navigating to the page from the browser, you will see the following output.


Click here for a larger image.

As expected, the output reflects the change that we made using the IIS manager.

Associating an ASP.NET Web Application with an Application Pool

Create a new Visual Studio.NET project named IISIntegration using the New Project dialog box as shown in the following screen shot.

After creating the new project, if you open up IIS Manager, you will find that the IISIntegration project is created under an application pool named DefaultAppPool. As the name suggests, by default, all the newly created ASP.NET Web applications are created under this application pool. This is shown in the following screen shot.

# # #

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends & analysis

Latest Posts

Related Stories