Search code examples
iiscertificatex509certificate

How to prevent using "LocalSystem" application pool identity when connecting through certificate

The site I need to configure on our IIS server (on Win 2019) uses a certificate to communicate with an external service. The certificate is present in the certificates plugin in category personal and trusted. It also uses a intermediate certificate.

The correct application pool has full permission on the certificate in /personal. Also the "network service" user. The private certificate isn't exportable.

The SSL connection works when the application pool is configured with identity "LocalSystem" but it doesn't work with "ApplicationPoolIdentity". Changing the "Load user profile" of the application pool from false to true doesn't change anything.

The site uses libraries written for it and is only used within the company. Is using "LocalSystem" the only solution when using libraries?

Solution

  • You can try different user account in Application pool identity.

    Built-in user account Select this option to use one of the predefined security accounts. Then select one of the following accounts:

    • LocalSystem - The Local System account has all user rights, and it is part of the Administrators group on the Web server. Whenever possible, avoid using the Local System account because it presents a serious security risk for your Web server.
    • LocalService - The Local Service account is a member of the Users group and has the same user rights as the Network Service account, but limited to the local computer. Use this account when the worker process in your application pool does not require access outside the Web server on which it runs.
    • NetworkService - By default, the Network Service account is selected. It is a member of the Users group and has user rights that are required to run applications. It can interact throughout an Active Directory-based network by using the computer account's credentials. This account provides the most security against an attack that might try to take over the Web server.
    • ApplicationPoolIdentity - Starting with IIS 7, application pools can be ran as the "ApplicationPoolIdentity" account instead of the "NetworkService" account. This is a dedicated pseudo user account for the working process of an application pool and is the recommended pool identity. Custom user account Select this option to configure a custom user account for the application pool identity.

    Custom user account Select this option to configure a custom user account for the application pool identity.

    Installed user account You can configure an installed User Account under which you want the worker process to run.

    Property-based user You can dynamically choose a username and a password under which you want the worker process to run, by using references to Windows Installer properties. By using this option you can choose the way the password is selected:

    Password property The password is stored inside a property.

    Predefined password By selecting this option you can define you own password.

    Note: If you use a custom identity, make sure that the user account you specify is a member of the IIS_IUSRS group on the Web server so that the account has proper access to resources. Additionally, when you use Windows and Kerberos authentication in your environment, you might need to register a Service Principle Name (SPN) with the domain controller (DC).