IIS7, SQL 2008 and ASP.NET MVC security

If you are NOT using Active Directory, then ignore all of the other solutions mentioned here. The confusion stems from the new ApplicationPoolIdentity setting default in IIS 7.5+ (MS keeps changing the identity mechianisms)

1. Open SQL Management Studio, connect to your local machine as an admin.
2. Expand the Security branch.
3. Right click on Logins and select New Login
4. Into the Login Name field, type "IIS APPPOOL\MyApplicationName". Do NOT click the search button. The user profile dosn't actually exist on the local machine, it's dynamically created on demand.

While you're looking at it, don't forget to add the user to a database or a server role.

Here is an article that explains why AppPoolIdentities are in use; basically, it's about enhanced security: http://learn.iis.net/page.aspx/624/application-pool-identities/

(That article claims I can use these virtual accounts just like any regular account but on my Windows Server 2008 that does not seem to be possible; adding e.g. IIS AppPool\DefaultAppPool just produces an error: "The following object is not from a domain listed in the Select Location dialog box, and is therefore not valid.")

Erick Falsken is right, however he is missing the User Mappings. So right click on the new IIS APPPOOL/DefaultAppPool, click on Properties and then check boxes for: 1) databases master and yourdatabase 2) db_owner and public

The error means the web application doesn't have access to your database. On Windows 7 / IIS 7, by default each application pool has its own user. It seems the idea is to improve security by restricting what that web application can do (in case it gets compromised and controlled from the outside). You can change what user the application pool is running under but that will defeat its own purpose. A better way seems to give the pool's user the needed permissions (and not a bit more).

On the SQL Management Studio connect to the server you want your web app to connect (tested with SQL server 2008). Go to

Security -> Log ins

right click, New Log in. In the form that comes up leave everything as default except username, where you have to type whatever username the web app is trying to use, in this case 'IIS APPPOOL\MyApplicationName'. Note that the search function of that dialog fails to find or check as valid that user, but nevertheless it works.

Still on the SQL Management Studio connected to the server go to

Databases -> *YOUR-DATABASE* -> Security -> Users

right click and New User. I'm not sure if the user name field there has any effect, I just set it the last part of the username, like MyApplicationName. Then I've set the login name to IIS APPPOOL\MyApplicationName. You can click on the ... button and use the check and search, this time it works. If you don't do the previous step, the user will not be present here. Then give it whatever permissions you want to this user, like db_datareader.

And that's it, you've given permission. If lack of permissions was your problem, then it should be solved (or at least, I've just solved it that way).

I have a total amount of 2hs of experience with IIS and about three weeks with SQL Server and less than two months with Microsoft technologies so take my advice with a grain of salt, I can be totally wrong. (If another person can confirm these are the right steps, feel free to remove the last warning).