IIS 6.0 Isolation Mode and ASP.NET worker process identity

A client ran into an intriguing problem the other day.  The application under development has a number of web services the get deployed onto one server or another as different versions are released for client testing.  Underneath the services, LDAP is used to store roles, preferences and other flotsam and jetsom as needed.  In order to gain access to this information, the IIS_WPG group is given read access to LDAP. Relatively straightforward.

The problem arose when the current version was deployed onto a new machine.  Instead of being able to connect to LDAP, an exception was being thrown.  The ASPNET worker process didn't have access to LDAP.  We were able to connect to the LDAP server, but attempts to negotiate access were being denied.

Four heads are now being scratched.  We removed and add the IIS_WPG user to LDAP.  We do a couple of IISResets to make sure the security context isn't being cached.  Checked the SID that is included as the DN for the IIS_WPG group to make sure something hasn't been installed correctly.  Nothing.  We then gave Everyone access to LDAP.  The service started working again.  So we knew it had something to do with permissions.

In a fit of, well, despiration, we gave permission for the ASPNET user to access LDAP.  Wouldn't you know it.  Things worked again.  But this was unexpected.  One of the things that changed with IIS 6.0 was that ASPNET was no longer the identity under which the worker process runs.  Wasn't it?

As it turns out, the real answer is "it depends".  If you install IIS 6.0 freshly, then IIS_WPG is the group to which the permissions you'd like ASP.NET to have should be assigned.  That is to say, that IIS 6.0 runs in Worker Process Isolation Mode. However, if (and this is the 'if' that caught us) you upgrade from IIS 5.0 to 6.0, the ASPNET user is still the security context for the ASP.NET process.  This can be modified by changing the isolation mode in IIS.  Quite easy, if you know how.  The trick, as we found out, was knowing that we even had to.