82

In IIS 7, after I specify the physical path for my website and click the "Test Settings" button, I get the following warning:

The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that<domain>\<computer_name>$has read access to the physical path. Then test these settings again.

So what is pass-through authentication? Literally, it should be pass some A through some B? So what are the A and B?

Also, I am actually using the built-in ApplicationPoolIdentity. Why can't IIS verify that this account has proper access rights to the physical path? Why do I need to verify it myself?

Benjamin Gruenbaum
  • 270,886
  • 87
  • 504
  • 504
smwikipedia
  • 61,609
  • 92
  • 309
  • 482
  • 1
    This was the first question that appeared in my search travels, but I gained a better understanding pass-through authentication from http://stackoverflow.com/questions/15677156/how-to-set-up-iis-7-application-pool-identity-correctly – Jonathan May 14 '13 at 09:39
  • 1
    At least don't delete the bugger. It has significance beyond "explain what a variable is" – Drew Oct 17 '16 at 04:48

1 Answers1

70

Normally, IIS would use the process identity (the user account it is running the worker process as) to access protected resources like file system or network.

With passthrough authentication, IIS will attempt to use the actual identity of the user when accessing protected resources.

If the user is not authenticated, IIS will use the application pool identity instead. If pool identity is set to NetworkService or LocalSystem, the actual Windows account used is the computer account.

The IIS warning you see is not an error, it's just a warning. The actual check will be performed at execution time, and if it fails, it'll show up in the log.

Franci Penov
  • 74,861
  • 18
  • 132
  • 169
  • 1
    I assume the user mentioned above is the user that is logged on in the website. Is this correct? Is pass-through authentication a form of impersonation? – Ytrog Nov 08 '13 at 07:42
  • 4
    @Ytrog yes, passthrough authentication can be considered as a form of impersonation. The IIS worker process is impersonating the user. – Franci Penov Dec 05 '13 at 21:59
  • 1
    "actual identity of the user" Which user? – Colonel Panic Jan 08 '19 at 11:24
  • The Windows user the request was authenticated as. If Windows authentication is enabled on IIS, it will attempt to authenticate the browser connection as a local machine user account or a domain account if the IIS machine is connected to one. I don't remember all the options it'll use, but I think it'll attempt a certificate, and username/password at least. If the authentication of the request as a Windows user has been successful, the worker process will be run under the identity of that Windows user, so that any files and network access is properly ACLed against that Window user credentials. – Franci Penov Jan 08 '19 at 19:22
  • I'm not able verify that `If the user is not authenticated, IIS will use the application pool identity instead` when it comes to virtual directories using passthrough, I don't think that's correct. – Kelly Elton Sep 29 '20 at 23:03