问题
I have deployed asp.net core 2.2 web app as a WebSite to IIS. I've set the application pool identity to ApplicationPoolIdentity:
[
I can see that System.Security.Principal.WindowsIdentity.GetCurrent() returns
IIS APPPOOL\MyCustomAppPool
But when I try to connect to SQL Server using connection string:
Server=localhost;Database=MyDadatabse;Trusted_Connection=True;
I get following error (ignore the german):
SqlException: Fehler bei der Anmeldung für den Benutzer "CompanyDomain\ComputerName$".
Why it is not using the ApplicationPool identity?
Also note, that when I set custom username/password as the identity for application pool, it works.
回答1:
To clarify this, APPPOOL\MyCustomAppPool, like LocalServer, NetworkService, and per-service SIDs are local identities. They doesn't exist on the domain, and so can't be used to access remote resource. However the server itself has an account on the domain, and when code running under these identities access remote resources, they use the computer account.
If you have multiple app pool identities on a IIS server and need to differentiate their access to network resources, or prevent the accumulation of privileges for the machine account, you will need to provision domain accounts for the app pools.
If you are connecting to a local SQL Server using the app pool identity, the error message will (confusingly) claim that you are connecting with the machine account. This is a deficiency how SQL Server reports the error. EG if I try to connect to my local SQL Server from an IIS app, it will fail with,
Login failed for user 'MyDomain\MyServer$'
until I grant access to the local SQL Sever with
create login [IIS APPPOOL\DefaultAppPool] from windows
create user [IIS APPPOOL\DefaultAppPool] for login [IIS APPPOOL\DefaultAppPool]
grant select to [IIS APPPOOL\DefaultAppPool]
来源:https://stackoverflow.com/questions/54348219/why-asp-net-core-app-uses-different-user-than-apppool-identity-for-windows-authe