Ingenix 1160496518|%e %b %Y, %H:%M %Z|agohover
in discussion Security and Authentication / Web Services » Web Service authentication and user account used
This came from trying to get the PhnxEMail web service to work. In IIS servers previous to IIS 6.0, a worker process would by default run under the account that the IIS Service runs under. IIS 6.0 changed a things a bit.
Note: IIS 6.0 is installed with Windows Server 2003.
All IIS 6.0 worker processes (by default) run under the new built in “Network Service” user account. This account has limited access to O/S permissions and resources. Follow the link and scroll down to the Increased Security section for details.
http://www.microsoft.com/windowsserver2003/evaluation/overview/technologies/iis.mspx
Getting IIS 6.0 to use a different account for worker processes is not very well documented, and requires running a script that takes as parameters the username, password, application pool name, and virtual directory path. My understanding is that running this script will change what user the process will run under for the virtual directory/application pool.
Assuming that this script works, and the worker process remembers to use this user and password (persistence) even after a reboot; this begs the question should we set up a WebService user account in the network that can be used to run web service processes and act as an authenticated user on the database server? We could still use integrated security in our connection strings and from a programmatic point of view not worry about what account our service will run under. This is something we will likely need to work out with UHT.
The other option as I see it is to add <AppServerDomain>\NETWORK SERVICE as an integrated login to the database server and grant it phnx_role permissions.
