Subscribe

Solve login failed error for IIS APPPOOL\DefaultAppPool

I recently ran into the classic SQL Server connection error message "Login failed". This, of course, nearly always has to do with insufficient rights to the database.

However, I also got this error message:

Login failed for user 'IIS APPPOOL\DefaultAppPool

In this case, I tried to anonymously connect to a SQL Server Database (in Windows 7, mind).

This is how to solve the problem:

  1. In Internet Information Services, right click the website that tries to connect to the database->choose Manage Web Site -> Advanced Settings. Take a look at the Application Pool used, in this case DefaultAppPool:
    IIS Application Pool settings
  2. Now that you know the application pool the website uses, instead right click Application Pools (in IIS root) -> right click the correct application pool -> choose Advanced Settings.
  3. Under Advanced Settings, find Identity and choose LocalService as the Built-in account (or LocalSystem if that's the option you've got):
    Change Application Pool Identity to LocalService
  4. Done!

Comments

1. bruce on Jan 28th, 2010 01:28 PM

thank you very much you help me a lot

2. Kristoffer Högberg on Feb 16th, 2010 02:40 PM
Follow on Twitter.

Very helpful post, thanks.

3. Rich on Jun 28th, 2010 02:45 AM

that helped me.

Just installed Visual Studio on Windows 7 box

4. amir on Jul 9th, 2010 03:03 PM

Perfect Solution

5. glory on Aug 26th, 2010 12:12 PM

From point of security reasons is better to add IIS APPPOOL\DefaultAppPool as owner of your db. For example, just run the next command in the Query window of selected db:
sp_addrolemember 'db_owner','IIS APPPOOL\DefaultAppPool'

6. pitso phera on Oct 9th, 2010 12:15 AM
Follow on Twitter.

very helpful

7. Abbid on Oct 16th, 2010 07:44 AM

Still Getting the same problem

8. Abbid on Oct 16th, 2010 07:47 AM

Its giving the following error now...

Cannot open database "xxxxxxxx" requested by the login. The login failed.
Login failed for user 'NT AUTHORITY\LOCAL SERVICE'.

9. Pablo Esteban on Oct 29th, 2010 08:50 AM

Thanks Dileno and thanks glory, because I didn't find "LocalService" in "Built-in account" and better if that's more secure.

10. pitso phera on Nov 18th, 2010 09:54 AM
Follow on Twitter.

@Abbid i found the same problem when i used local service..choose LocalSystem and everything will be fine :D

11. Dan on Dec 4th, 2010 10:26 AM

Thanks man, i am very grateful. All problems solved in an instant. keep the fire burning

12. kai on Jan 18th, 2011 04:17 AM

It works, thanks!!!!!!!!!!!

13. Muhammad Farid on Jan 20th, 2011 08:25 AM

Thanks it workes I was in trouble about this problem

14. kibe on Jan 20th, 2011 01:08 PM

thanks alot its works fine

15. Jef on Feb 12th, 2011 06:48 PM

For me it does not worked as LocalService but worked! as LocalSystem.

16. Andy on Apr 26th, 2011 04:01 PM

This solution is nonsense because it shows a clear lack of understanding in the security model. You are putting your customer or company at risk by setting up LocalSystem and allowing your application pool to have more file system and execution privileges than it needs (if you are doing this in a development environment for sake of troubleshooting,

The recommended Microsoft solution is to create a separate account. However, if your solution is small, you can instead add the 'IIS APPPOOL\DefaultAppPool' user as a database user in your SQL instance, then providing the proper 'User Mappings' to the databases you need the DefaultAppPool user to access. You may not necessarily be able to search for this user, but you can still enter it in the 'Login name' field in the "Login - New" window as "IIS APPPOOL\DefaultAppPool" (without the quotes).

Follow this link as a reference and pay attention to the last post: http://social.msdn.microsoft.com/Forums/en-US/sqlsetupandupgrade/thread/73eee0b4-9eee-4a71-a448-3e3eef9ee404/

17. Michael on Apr 26th, 2011 11:55 PM

The built in NTAuthority\Network Service account is much less privileged than the Local System account which is basically the OS of the local machine. I configured the app pool to use the Network Service account in IIS 7.0. I then created a Login on the database instance for the Network Service account. For my application it was only necessary to add the db_datareader role to the Network Service account on the database.

This allowed my ASP.NET web page to connect to a SQL2008 instance using Integrated Security with ADO.NET , run an INSERT sproc to populate a table and then display the data in tabular form in grid format on the web page.

18. Michael on Apr 28th, 2011 09:45 PM

As an addendum to my previous post above on April 26th i need to clarify that it was necessary to add the db_owner role to the Network Service account in my db instance to allow my stored procedere to insert to the table. I have two ASP.NET web pages. The first page is named FormInput.aspx and allows data to be added to a datagrid form with FirstName, LastName, StudentID, EmailAddress etc. After the data is entered into the form the user then hits the submit button and the new data is supposed to display on the "ViewStudentInfo.aspx page"
Initially the ViewStudentInfo.aspx successfully pulled the data from the database table successfully. So whatever data that is present in the table shows up on the aspx page nicely. However the call to the sproc to insert new data did not work until I added the db_owner role to the Network Service that the app pool is using to connect to the database. Initially I tried to limit the roles to just db_datareader and db_datawriter but it did not work.

19. Steven Sproat on Jun 23rd, 2011 05:04 PM

Thanks, this helped a bunch!

20. SUPER DAVE on Aug 23rd, 2011 01:08 AM

Andy says:
Andy on Apr 26th, 2011 04:01 PM
This solution is nonsense because it shows a clear lack of understanding in the security model. You are putting your customer or company at risk by setting up LocalSystem and allowing your application pool to have more file system and execution privileges than it needs (if you are doing this in a development environment for sake of troubleshooting,

The recommended Microsoft solution is to create a separate account. However, if your solution is small, you can instead add the 'IIS APPPOOL\DefaultAppPool' user as a database user in your SQL instance, then providing the proper 'User Mappings' to the databases you need the DefaultAppPool user to access. You may not necessarily be able to search for this user, but you can still enter it in the 'Login name' field in the "Login - New" window as "IIS APPPOOL\DefaultAppPool" (without the quotes).

Follow this link as a reference and pay attention to the last post: http://social.msdn.microsoft.com/Forums/en-US/sqlsetupandupgrade/thread/73eee0b4-9eee-4a71-a448-3e3eef9ee404/

I say: I cannot sucessfully "ADD" the "IIS APPPOOL\DefaultAppPool as a user. I get the famous "CREATE FAILED for login user IIS APPPOOL\DefaultAppPool
Why is SQL Server 2008 not allowing me to add this login?
Thanks.

21. ap on Aug 31st, 2011 11:29 PM

Generally, logins for SQL have to be created at the top level SECURITY \ LOGINS area first, and then added as a user on the appropriate DB (unless you're giving a system-wide role). You can't add directly to the database without the login existing at the top level.

22. Reza on Sep 16th, 2011 02:59 PM

Thanks

23. Anand on Oct 11th, 2011 11:01 AM

Hey not showing this option for built-in-account

24. BigZ on Oct 19th, 2011 11:20 PM

Dude you saved my life. Thanks

25. sanchita on Dec 14th, 2011 12:42 PM

its work...
thanks a lot....... :)

26. Mujeeb on Jan 11th, 2012 09:07 PM

LocalSystem works for me
Thanks

27. Oh yeah on Feb 2nd, 2012 03:09 PM

Ok

Thanks ;)

Good Solution

Write a comment





Or use Twitter to identify


To the top