By Emily Schroeder, Microsoft Corporation

Introduction

An application pool is a configuration in Internet Information Services (IIS) that links one or more applications to a set of one or more worker processes. Because worker process boundaries separate applications in an application pool from other applications, problems caused by applications in one application pool do not affect applications in another application pool.

By creating new application pools and assigning Web sites and applications to them, you can isolate portal sites and help enhance security between them while maintaining the availability of your other applications. For example:

• If one application pool identity is compromised, and Microsoft Office SharePoint Portal Server 2003 uses only one application pool, the administrator must disable all portal sites on the server. However, if the server farm administrator creates an application pool for each portal site and uses different application pool identities, the compromise of one application pool identity affects only one portal site, not all portal sites. Companies that provide SharePoint Portal Server services to other parties might want to create additional application pools, with separate application pool identities, to help enhance security.

   Note   When you create separate application pools, you can no longer manage the credentials by using the Configure Server Farm Account Settings page. Specifying the application pool identity of the portal site on this page applies only to MSSharePointPortalAppPool. You must use IIS Manager to manage any new application pools.

• IIS shuts down an application pool if its processes falter several times. If all portal sites share an application pool and IIS shuts down that application pool, none of the sites will be operational. Using multiple application pools helps ensure reliability. The server farm administrator might want to create one application pool for the parent portal site and another application pool for all of the child portal sites to enhance reliability of the sites. Both application pools could use the same application pool identity.
• If the server farm hosts more than 50 portal sites, it is required that additional application pools be created so that no single application pool has more than 50 portal sites sharing it. All application pools could use the same application pool identity.

Note that having multiple application pools increases memory usage. Each portal site with its own application pool uses approximately 150 megabytes (MB) of memory. When portal sites share an application pool, the first portal site uses approximately 150 MB, and each additional portal site uses 15 MB to 30 MB.

By default, SharePoint Portal Server 2003 creates a single application pool, named MSSharePointPortalAppPool, that hosts all virtual servers on which portal sites are created. Although this default setting is sufficient for many customers, others may want to move the virtual servers into separate application pools. For example, moving the virtual servers into separate application pools could be a requirement for customers who provide hosting services to different clients by using the same SharePoint Portal Server 2003 server farm. You can separate portal sites into different security contexts by specifying unique identities for each application pool.

 Note   Each portal site still has the db_owner database role on the configuration database and can affect other portal sites in the server farm by writing to the configuration database.

When you create separate application pools, you can no longer manage the credentials by using the Configure Server Farm Account Settings page. Specifying the application pool identity of the portal site on this page applies only to MSSharePointPortalAppPool. You must use IIS Manager to manage any new application pools.

The process for creating and using application pools is as follows:

1. Create the application pool.
2. Specify the identity for the application pool.
3. Add the identity for the application pool to the IIS_WPG, SPS_WPG, and STS_WPG groups.
4. Grant database permissions to the account.
5. Remove database permissions from the old account.
6. Grant search access to the account.
7. Move the virtual server to the new application pool.