BUILTIN\IIS_IUSRS missing in Windows 7 and 8.1

0
votes

I've SQL Server 2012, IIS, ASP.NET Core installed on Windows 7 and Windows 8.1. But in SQL Server when I try to add BUILTIN\IIS_IUSRS as a login, I always get the error shown in image 2. The domain name is the name of the computer itself and the computers are not in any other domain:

enter image description here

Error:

enter image description here

1
sql-serveriiswindows-8.1windows-7-x64
IIS_USRS is a user group. Surely if you were going to do this for some reason, you'd be adding IUSR instead, right? Since it would be the user logging into SQL, not the user group. - ZLK
Like the other comment indicated, IIS_IUSRS is a group of all application pool identities. It would be a security risk to use that group in any access control (like SQL Server access), so stop right now and add individual application pool identities you really want to grant instead. - Lex Li
@ZLK My ASP.NET CORE app created from this example but connecting to SQLEXPRESS2012 instead of LocalDb does not work when deployed to IIS and adding IUSR to the db with db_owner. It works fine when browsing pages that do not call Db. But fails when connecting to Db. But the connection string is not an issue since the app works fine with same connection string when running from VS2017 - nam
@LexLi I added IUSR with db_owner role to my Db. But that does not work as I posted here - nam
I never say you should set permissions on IUSR, do I? A well designed web app should use a service account (Microsoft AD has typical service account setup scenarios you can refer to) as pool identity and then that identity should be granted necessary permissions on the database resources. Follow that route please. IUSR is the built-in anonymous account, and its usage should be minimized (and should not be used if you don't need it at all). - Lex Li

1 Answers

0
votes

For anyone having this problem now, note that the BUILTIN\ part is not needed when entering the object name IIS_IUSRS. Including it produces the error that the OP encountered.

Also ensure that the search parameters are set correctly. IIS_IUSRS is a local machine group, so by default it may not be found until the location and object type parameters are tweaked. More info here.