Windows 7 and Windows Server 2008 R2 ship with IIS 7.5. While migrating the StarterSTS, I made an interesting observation. I remember vaguely I read about that somewhere – but basically I got this error message:
Cannot open database “aspnetdb” requested by the login. The login failed.Login failed for user ‘IIS APPPOOLDefaultAppPool‘.
That’s an interesting account.
A closer look reveals, that in IIS manager you now have five accounts to choose from when setting up an App Pool: System, Network Service, Local Service, Custom… and ApplicationPoolIdentity. The default value is ApplicationPoolIdentity.
With this new setting, a new primary SID is injected into the worker process – all Windows security checks are done against this new SID. Converting that NT Account to an SID reveals an S-1-5-82 – which was new to me.
So in the light of the recent problems with system account sharing (here and here), this is a good change and makes it even easier to isolate worker processes.