Adding the IIS Worker Process to the Readers Role
Updated: August 22, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1
By default, IIS runs in the Network Service account. You can, however, configure an IIS worker process to run in a different account.
If you use a remote authorization store, such as Active Directory or a remote XML file-based store, and you run IIS in the default Network Service context, you must add the Active Directory account of the Web server running IIS to the store's Readers role.
|You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".|
If Authorization Manager is not already open, click Start, click Run, type
and then click OK.
In the console tree, right-click Authorization Manager, click Open Authorization Store, click Browse, click the name of the authorization store file you want to update, click Open, and then click OK.
In the console tree, right-click the name of the store, and then click Properties.
Click the Security tab, and in the Authorization manager user role list, click Reader, and then click Add.
In the Enter the object names to select (examples) box, type the name of the IIS worker process, and then click OK twice.
For more information about application mappings, see Installing Wildcard Application Mappings.
For more information about configuring a worker process account, see Configuring a Worker Process Identity Using a Configurable Account.