Use the Application Pool Identity view to configure the user account under which an application pool's worker process runs. You can select one of the predefined security accounts or configure a custom account.
Built-in user account
Select this option to use one of the predefined security accounts. Then select one of the following accounts:
- LocalSystem - The Local System account has all user rights, and it is part of the Administrators group on the Web server. Whenever possible, avoid using the Local System account because it presents a serious security risk for your Web server.
- LocalService - The Local Service account is a member of the Users group and has the same user rights as the Network Service account, but limited to the local computer. Use this account when the worker process in your application pool does not require access outside the Web server on which it runs.
- NetworkService - By default, the Network Service account is selected. It is a member of the Users group and has user rights that are required to run applications. It can interact throughout an Active Directory-based network by using the computer account's credentials. This account provides the most security against an attack that might try to take over the Web server.
- ApplicationPoolIdentity - Starting with IIS 7, application pools can be ran as the "ApplicationPoolIdentity" account instead of the "NetworkService" account. This is a dedicated pseudo user account for the working process of an application pool and is the recommended pool identity.
Custom user account
Select this option to configure a custom user account for the application pool identity.
Installed user account
You can configure an installed User Account under which you want the worker process to run.
You can dynamically choose a username and a password under which you want the worker process to run, by using references to Windows Installer properties. By using this option you can choose the way the password is selected:
The password is stored inside a property.
By selecting this option you can define you own password.
If you use a custom identity, make sure that the user account you specify is a member of the IIS_IUSRS group on the Web server so that the account has proper access to resources. Additionally, when you use Windows and Kerberos authentication in your environment, you might need to register a Service Principle Name (SPN) with the domain controller (DC).
You can read more about application pools in this article.