Perform the following steps to change the identity for any application that is running on IIS server to make the application secure and reliable:
Open the IIS Manager Console.
Click Application Pools.
Select a preferred application pool from the list.
For example, RDWeb Access.
Click Advanced Settings from the Actions menu on the right pane.
Set the Identity in the Process Model to one of the below values:
LocalSystem when working with only local resources.
This is the last step while configuring the application pool for local resources.
Specific username of the domain user with an appropriate privileges and delegations.
For Domain user account, continue with Configuring the Application Pool for Domain User Account.
Click OK.
It is required to configure the following settings for running the pool using a domain user account:
Add the Security policy on the IIS host where Advanced Authentication IIS Authentication Plug-in is installed and grant required permissions. For more information, see Configuring IIS Hosts.
Provide necessary permission for domain users on the domain. For more information, see Domain Access to Authorization of User Accounts.
Grant constrained delegation. For more information, see Configuring Constrained Delegation.
The IIS hosts where the Advanced Authentication IIS Authentication Plug-in is installed, perform the following:
Add the preferred domain user to the local administrators group.
Navigate to one of the following paths to grant user privileges through the following permissions:
For local policy: Start > Administrative Tools > Local Security Policy navigate to Local Policies > User Rights Assignment.
For domain policy: Open relevant GPO in gpedit then navigate to Local Policies > User Rights Assignment.
Grant the following permissions:
Act as part of the operating system
Impersonate a client after authentication
Log on as a service
Log on as a batch job
Accounts that perform Service for User Impersonation (S4U) need to be granted Read tokenGroupsGlobalAndUniversal. This gets assigned when the user accounts are included in the inbuilt domain group, Windows Authorization Access Group.
Launch Active Directory Users and Computers, click Domain/builtin in tree > Windows Authorization Access Group Properties > Members then search and select one or more users.
NOTE:When there are multiple domains, the pool user must be added to the group in each domain from where users will login.
Launch Active Directory Users and Computers and select the preferred IIS host.
Click Delegation tab.
Select Trust this computer for delegation to specified services only and select Use any authentication protocol.
Configure each target resources by service type and host.
For example,
CIFS service for file share.
SQLSvc service for SQL server.