Configuring Application pool of IIS

1. What is an application pool?

An Application Pool can contain one or more applications and allows us to configure a level of isolation between different Web applications. For example, if you want to isolate all the Web applications running in the same computer, you can do this by creating a separate application pool for every Web application and placing them in their corresponding application pool. Because each application pool runs in its own worker process, errors in one application pool will not affect the applications running in other application pools. Deploying applications in application pools is a primary advantage of running IIS 6.0 in worker process isolation mode because you can customize the application pools to achieve the degree of application isolation that you need.

When you configure application pools for optimum availability, you also should consider how to configure application pools for application security. For example, you might need to create separate application pools for applications that require a high level of security, while allowing applications that require a lower level of security to share the same application pool.

2. Creating a new Application Pool

Creating a new application pool is a very simple process that is carried out by using the IIS manager. When you create a new application pool, you have the following two options:

1. You can either create a new application pool from scratch or

2. You can create a new application by importing the configuration settings from an external XML file

To create a new application pool from scratch, right-click on the Application Pools node from the tree view and select New->Application Pool from the context menu. You will be presented with the following screen, where you need to enter a name for the application pool.

When creating a new application, you also have the option of inheriting the settings from an existing application pool. For example, if you want your new application pool to inherit the settings from the DefaultAppPool, you can do that by selecting the option Use existing application pool as a template in the above screen. After you pick this option, the Application Pool name dropdown box will be enabled from where you can select an existing application pool.

After the pool is created, you can save the settings of the application pool to an external XML file any time by right-clicking the application pool and selecting the option All Tasks->Save Configuration to a File that is available from the context menu. This is an extremely useful feature that makes it possible for you to easily recreate the same application pool on the same server or on a different server with minimal effort.

3. Configuring Identity for ASP.NET Web Applications

In previous versions of IIS, worker processes ran as LocalSystem, a powerful account that has system administrator privileges on the server. Because LocalSystem has access to almost all resources on the operating system, this caused security implications. As mentioned previously, in IIS 6.0, you can set the identity of the worker process at the application pool level. The identity of an application pool is the account under which the application pool's worker process runs. By default, application pools operate under the NetworkService account, which has low-level user access rights. The NetworkService account has the following seven privileges:

• Adjust memory quotas for a process

• Generate security audits

• Log on as a service

• Replace process level token

• Impersonate a client after authentication

• Allow logon locally

• Access this computer from the network

By running the worker process using a very low-privileged account such as NetworkService, you can reduce the security vulnerability. However, by using IIS manager, you can configure the application pool to run as any of the following pre-defined accounts:

• NetworkService

• LocalSystem

• LocalService

To configure identity for an application pool, right-click the application pool and select Properties from the context menu. In the Properties dialog box, select the Identity tab and you will see the following screen.

In the above dialog box, when you select the Predefined option, you can select any of the pre-defined accounts from the dropdown box. Instead of using a pre-defined account, if you want your application pool to run under a different account, select the Configurable option and then set the User name and Password in the textboxes. This approach is particularly useful especially when you are running multiple applications or sites on one Web server. For example, if an ISP hosts two companies—who may even be competitors—on one Web server, it has to guarantee that these two applications run in isolation from each other. More importantly, the ISP has to make sure that a malicious administrator for one application can't access the data of the other application. You can accomplish this level of isolation by using the configurable worker process identity.

4. Special Identity

To change the account under which an application pool runs using IIS Manager

1.In IIS Manager, expand the local computer, expand Application Pools, right-click the application pool, and then click Properties.

2.Click the Identity tab, and click either Predefined or Configurable. Predefined refers to standard service names, such as Network Service (the default), LocalSystem, or Local Service. Configurable refers to registered user names.

•If you click Predefined, click a predefined account in the list box.

•If you click Configurable, in the User name and Password boxes, type the user name and password of the account under which you want the worker process to operate. Then, add the account to the IIS_WPG group.

3.Click OK.

5. Use it in Websites

6. Recycling Worker Processes and Their Impact on Application State Information

If a Web application contains code that causes problems, and you cannot easily rewrite the code, it might be useful to limit the extent of the problems by periodically recycling the worker process that services the application. You can accomplish this by using what is known as Worker Process Recycling. Worker process recycling is the replacing of the instance of the application in memory. IIS 6.0 can automatically recycle worker processes by restarting the worker process, or worker processes, that are assigned to an application pool. This helps keep problematic applications running smoothly, and minimizes problems such as memory leaks. You can trigger the recycling of the worker processes assigned to an application pool by using worker process recycling methods that are based on elapsed time, the number of Hypertext Transfer Protocol (HTTP) requests, a set time of day, and two kinds of memory consumption, in addition to recycling on demand.

To configure all the above settings, go to the Properties window of the application pool in which your Web application is running using the IIS manager. Using the Recycling, Performance, and Health tabs in the Properties window, you can specify values for the above settings. Navigating to the Performance tab in the Properties dialog box of the DemoAppPool results in the following output.

When you set the recycling of worker processes using IIS manager, you also need to take the state management strategy of your ASP.NET application into consideration. Because every time the worker process is recycled, the ASP.NET state information will be lost rendering the application in an invalid state. One alternative to overcome this issue is to maintain state data external to the worker process, such as in a database. However, moving data to an external database to allow recycling can affect server performance in the following two ways:

• Performance is reduced because of the added data management that is needed to move the data between the application and the database.

• Recycling flushes any in-process data caches, so the caches need to be rebuilt.

If you have an application pool with applications that depend on state data, you must decide whether or not to recycle the worker processes that are assigned to that application pool. If you store state in the same process as that of IIS, and you don't want the state information to be lost, you must not recycle a worker process using the application pool configuration settings.

7. Security setting of files

We can set the permission of application pool to files. Right click file or folder->Properties->Security.

Add the user account you use in Application pool Identity and set permission. It's easy.

Reference

1. http://www.developer.com/net/asp/article.php/2245511

2. http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/f05a7c2b-36b0-4b6e-ac7c-662700081f25.mspx?mfr=true