Changing the Application Pool Identity for a Virtual Server

If you need to change the application pool identity for the SharePoint Central Administration virtual server or for a content virtual server, you can do so from within Microsoft Internet Information Services (IIS). When you change the SharePoint Central Administration application pool identity in IIS, you must also change the information for the Microsoft SharePoint Timer service, so you do not lose your connection to the configuration and content databases for Microsoft Windows SharePoint Services.

 Note   Windows SharePoint Services Service Pack 2 (SP2) provides support for NTLM and Kerberos authentication. If you use Kerberos authentication, you will need to configure a service principal name (SPN). For more information about application pool identity, see Installation Considerations for Windows SharePoint Services. For information about identifying authentication issues by using the Auth Diagnostics tool, see Troubleshooting Other Issues.

To change the application pool identity for SharePoint Central Administration and one or more content virtual servers, you must perform the following steps:

  1. Grant the appropriate database permissions to the new identity or identities.
  2. Change the database ownership and permissions for the configuration and content databases.
  3. Add the new accounts to the STS_WPG and IIS_WPG groups and verify that the IIS_WPG group has Read and Write permissions to the content area of the virtual server.
  4. Update the application pools in IIS and synchronize the SharePoint Timer Service with the new account information.

Granting Database Permissions and Changing Database Ownership

Before you change the identity, you must ensure that the application pool account you use has the appropriate permissions for your databases in Microsoft SQL Server. To work correctly, the application pool account must be a member of the following roles for your databases in SQL Server: Security Administrators and Database Creators. If you are changing the Administration virtual server and one or more content virtual servers to different accounts, you must perform the following procedure for each account.

The steps for granting database creation rights differ between SQL Server 2000 or SQL Server 2005, as detailed in the following procedures.

Grant Database Creation Rights in SQL Server 2000
  1. On your SQL Server computer, click Start, point to All Programs, point to Microsoft SQL Server, and then click Enterprise Manager.
  2. In Enterprise Manager, click the plus sign (+) next to Microsoft SQL Servers, click the plus sign (+) next to SQL Server Group, and then click the plus sign next to your SQL Server.
  3. Click the plus sign (+) next to Security, right-click Logins, and then click New Login.
  4. In the Name box, type the account in the form DOMAIN\name.
  5. On the SQL Server Login Properties – New Login page, click the Server Roles tab.
  6. In the Server Role list, select the Security Administrators and Database Creators check boxes, and then click OK.

 Note   Do not specify any databases for this login on the Database Access tab.

Proceed to Changing Database Ownership and Permissions

Grant database creation rights in SQL Server 2005

If you have used a domain account that does not already have database creation rights in SQL Server, you can give the account this access using SQL Server Management Studio. This is a one-time-only change. After you have granted database creation rights to the account used by the Windows SharePoint Services administration virtual server, this account can create databases for any subsequent virtual servers.

  1. On your server computer, click Start, point to All Programs, point to Microsoft SQL Server 2005, and then click SQL Server Management Studio.
  2. On the Connect to Server screen, select the name of the local server from the Server name drop-down list.
  3. Select Windows Authentication from the Authentication drop-down list and then click Connect.
  4. In Object Explorer, click the plus sign (+) next to Security.
  5. Right-click Logins, and then click New Login.
  6. In the Login – New screen, in the Login name box, type the account in the form of DOMAIN\accountname.
  7. In the Select a page section, click Server Roles.
  8. In the Server roles list, select the securityadmin and dbcreator check boxes, and then click OK.

Changing Database Ownership and Permissions

After you have granted the appropriate database creation rights in SQL Server, the next step is to Change the database ownership and permissions for the configuration and content databases. The steps for changing the database ownership and permissions differ between SQL Server 2000 or SQL Server 2005, as detailed in the following procedures.

Change the database ownership and permissions for the configuration database in SQL Server 2000
  1. On the database server, click Start, point to All Programs, point to Microsoft SQL Server, and then click Query Analyzer.
  2. In the Connect to SQL Server dialog box, in the SQL Server box, type the server name, and then click OK.
  3. On the Query menu, click Change Database.
  4. In the Select Database of server_name box, click the configuration database (sts_config), and then click OK.
  5. In the Query pane, type the following query.
DECLARE @AdminVSAccount nvarchar(255)
DECLARE @ContentVSAccount nvarchar(255)
SET @ContentVSAccount = N'domain\contentaccount'; 
SET @AdminVSAccount = N'domain\adminaccount'; 
EXEC sp_grantlogin @ContentVSAccount;
EXEC sp_changedbowner @AdminVSAccount;
IF NOT EXISTS (SELECT * FROM sysusers WHERE name=@ContentVSAccount) 
EXEC sp_grantdbaccess @ContentVSAccount; 
EXEC sp_addrolemember 'db_owner', @ContentVSAccount; 
EXEC sp_addsrvrolemember @AdminVSAccount, 'dbcreator'
EXEC sp_addsrvrolemember @AdminVSAccount, 'securityadmin'

 Note   In the query, replace domain\contentaccount and domain\adminaccount with the domain account for the content virtual server and the domain account for the SharePoint Central Administration virtual server, respectively. If the accounts are the same, SQL Query Analyzer will display an error, but the process will still succeed.

  1. Click the Execute Query button to update the database.

Proceed to Change the database ownership and permissions for the content databases in SQL Server 2000.

Change the database ownership and permissions for the configuration database in SQL Server 2005
  1. On the server running SQL Server 2005, click Start, point to All Programs, point to Microsoft SQL Server 2005, and then click SQL Server Management Studio.
  2. On the Connect to Server screen, select the name of the local server from the Server name drop-down list.
  3. Select Windows Authentication from the Authentication drop-down list and then click Connect.
  4. In Object Explorer, click the plus sign (+) next to the Databases node.
  5. Right-click the configuration database (STS_Config, by default) and then click New Query.
  6. In the Query pane, type the following query.
DECLARE @AdminVSAccount nvarchar(255)
DECLARE @ContentVSAccount nvarchar(255)
SET @ContentVSAccount = N'domain\contentaccount'; 
SET @AdminVSAccount = N'domain\adminaccount'; 
EXEC sp_grantlogin @ContentVSAccount;
EXEC sp_changedbowner @AdminVSAccount;
IF NOT EXISTS (SELECT * FROM sysusers WHERE name=@ContentVSAccount) 
EXEC sp_grantdbaccess @ContentVSAccount; 
EXEC sp_addrolemember 'db_owner', @ContentVSAccount; 
EXEC sp_addsrvrolemember @AdminVSAccount, 'dbcreator'
EXEC sp_addsrvrolemember @AdminVSAccount, 'securityadmin'

 Note   In lines 3 and 4 of the query, replace domain\contentaccount and domain\adminaccount with the domain account for the content virtual server and the domain account for the SharePoint Central Administration virtual server. If the accounts are the same, SQL Query Analyzer will display an error, but the process will still succeed.

  1. On the toolbar, click the Execute button to run the query and update the database.

Proceed to Change the database ownership and permissions for the content databases in SQL Server 2005.

Change the database ownership and permissions for the content databases in SQL Server 2000
  1. On the database server, click Start, point to All Programs, point to Microsoft SQL Server, and then click Query Analyzer.
  2. In the Connect to SQL Server dialog box, in the SQL Server box, type the server name, and then click OK.
  3. On the Query menu, click Change Database.
  4. In the Select Database of server_name box, click the content database you want to update, and then click OK.
  5. In the Query pane, type the following query.
DECLARE @AdminVSAccount nvarchar(255)
DECLARE @ContentVSAccount nvarchar(255)
SET @ContentVSAccount = N'domain\contentaccount'; 
SET @AdminVSAccount = N'domain\adminaccount'; 
EXEC sp_grantlogin @ContentVSAccount;
EXEC sp_grantlogin @AdminVSAccount;
EXEC sp_changedbowner @AdminVSAccount;
IF NOT EXISTS (SELECT * FROM sysusers WHERE name=@ContentVSAccount) 
EXEC sp_grantdbaccess @ContentVSAccount; 
EXEC sp_addrolemember 'db_owner', @ContentVSAccount;

 Note   In the query, replace domain\contentaccount and domain\adminaccount with the domain account for the content virtual server and the domain account for the SharePoint Central Administration virtual server, respectively. If the accounts are the same, SQL Query Analyzer will display an error, but the process will still succeed.

  1. Click the Execute Query button to update the database.

Proceed to Adding Accounts to the STS_WPG and IIS_WPG Groups and Verifying Permissions.

Change the database ownership and permissions for the content databases in SQL Server 2005
  1. On the server running SQL Server 2005, click Start, point to All Programs, point to Microsoft SQL Server 2005, and then click SQL Server Management Studio.
  2. On the Connect to Server screen, select the name of the local server from the Server name drop-down list.
  3. Select Windows Authentication from the Authentication drop-down list and then click Connect.
  4. In Object Explorer, click the plus sign (+) next to the Databases node.
  5. Right-click the content database you want to configure and then click New Query.

 Note   By default, the content database is named STS_<Servername>_1.

  1. In the Query pane, type the following query.
DECLARE @AdminVSAccount nvarchar(255)
DECLARE @ContentVSAccount nvarchar(255)
SET @ContentVSAccount = N'domain\contentaccount'; 
SET @AdminVSAccount = N'domain\adminaccount'; 
EXEC sp_grantlogin @ContentVSAccount;
EXEC sp_grantlogin @AdminVSAccount;
EXEC sp_changedbowner @AdminVSAccount;
IF NOT EXISTS (SELECT * FROM sysusers WHERE name=@ContentVSAccount) 
EXEC sp_grantdbaccess @ContentVSAccount; 
EXEC sp_addrolemember 'db_owner', @ContentVSAccount;

 Note   In the query, replace domain\contentaccount and domain\adminaccount with the domain account for the content virtual server and the domain account for the SharePoint Central Administration virtual server. If the accounts are the same, SQL Query Analyzer will display an error, but the process will still succeed.

  1. On the toolbar, click the Execute button to run the query and update the database.

Adding Accounts to the STS_WPG and IIS_WPG Groups and Verifying Permissions

You must add the new accounts to the STS_WPG and IIS_WPG groups on all front-end Web servers in your server farm. These groups control access to the IIS metabase, the SharePoint connection string to SQL Server, and other required directories and files. For more information about adding accounts to groups, see the Microsoft Windows Server 2003 Help system.

The IIS_WPG group must have Read and Write permissions to the content area of the virtual server. For example, if the content virtual server points to c:\inetpub\wwwroot, you must grant the IIS_WPG group Read and Write permissions to this directory. For more information about granting permissions to directories, see the Windows Server 2003 Help system.

Updating the Application Pools and Synchronizing the SharePoint Timer Service

To change the application pool identity for the SharePoint Central Administration virtual server or for a content virtual server, you use Internet Information Services (IIS) Manager. If you have changed the identity for SharePoint Central Administration, you must also synchronize the SharePoint Timer Service to use the new identity.

Update the SharePoint Central Administration application pool in IIS
  1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. Click the plus sign next to your server name.
  3. Click the plus sign next to Web Sites.
  4. Right-click SharePoint Central Administration, and then click Properties.
  5. Click the Home Directory tab.
  6. Make a note of the application pool name in the Application pool box, and then click Cancel.
  7. Click the plus sign next to Application Pools.
  8. Right-click the application pool that needs to be updated, and then click Properties.
  9. In the "Application Pool ID" Properties dialog box, click the Identity tab.
  10. Under Application pool identity, verify that Configurable is selected, and then in the User name box, type the new account to use.
  11. In the Password box, type the password for the new account, and then click OK.

After you have reset the application pool identity, you must restart IIS. To restart IIS, run iisreset on the command line.

Synchronize the SharePoint Timer Service with the new account information
  1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint Central Administration.
  2. On the SharePoint Central Administration page, under Server Configuration, click Configure virtual server for central administration.
  3. Select Use an existing application pool, and then select the application pool you just updated with the new account for SharePoint Central Administration.
  4. Click OK.

After you have reset the application pool identity, you must restart IIS. To restart IIS, run iisreset on the command line.

Update the content virtual server application pool in IIS
  1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. Click the plus sign next to your server name.
  3. Click the plus sign next to Web Sites.
  4. Right-click the virtual server you need to update, and then click Properties.
  5. Click the Home Directory tab.
  6. Make a note of the application pool name in the Application pool box, and then click Cancel.
  7. Click the plus sign next to Application Pools.
  8. Right-click the application pool that needs to be updated, and then click Properties.
  9. In the "Application Pool ID" Properties dialog box, click the Identity tab.
  10. Under Application pool identity, verify that Configurable is selected, and then in the User name box, type the new account to use.
  11. In the Password box, type the password for the new account, and then click OK.

After you have reset the application pool identity, you must restart IIS. To restart IIS, run iisreset on the command line.

 
 
Applies to:
Deployment Center 2003