Changing the Application Pool Identity for a Virtual Server

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

If you need to change the application pool identity for the SharePoint Central Administration virtual server or for a content virtual server, you can do so from within Microsoft Internet Information Services (IIS). When you change the SharePoint Central Administration application pool identity in IIS, you must also change the information for the Microsoft SharePoint Timer service, so you do not lose your connection to the configuration and content databases for Microsoft .

To change the application pool identity for SharePoint Central Administration and one or more content virtual servers, you must perform the following steps:

  1. Grant the appropriate database permissions to the new identity or identities and change the database owner for the configuration and content databases.

  2. Add the new accounts to the STS_WPG and IIS_WPG groups and verify that the IIS_WPG group has Read and Write permissions to the content area of the virtual server.

  3. Update the application pools in IIS and synchronize the SharePoint Timer Service with the new account information.

Granting Database Permissions and Changing Database Ownership

Before you change the identity, you must ensure that the application pool account you use has the appropriate permissions for your databases in Microsoft SQL Server. To work correctly, the application pool account must be a member of the following roles for your databases in SQL Server: Security Administrators and Database Creators. If you are changing the Administration virtual server and one or more content virtual servers to different accounts, you must perform the following procedure for each account.

Grant Database Creation Rights in SQL Server

  1. On your SQL Server computer, click Start , point to Programs , point to Microsoft SQL Server , and then click Enterprise Manager .

  2. In Enterprise Manager , click the plus sign (+) next to Microsoft SQL Servers , click the plus sign (+) next to SQL Server Group , and then click the plus sign next to your SQL Server.

  3. Click the plus sign (+) next to Security , and then right-click Logins , and click New Login .

  4. In the Name box, type the account in the form DOMAIN\name.

  5. Click the Server Roles tab.

  6. In the Server Role list, select the Security Administrators and Database Creators check boxes, and then click OK .

    Note: Do not specify any databases for this login on the Database Access tab.

Change the database ownership and permissions for the configuration database

  1. On the database server, click Start , point to All Programs , point to Microsoft SQL Server , and then click Query Analyzer .

  2. In the Connect to SQL Server dialog box, in the SQL Server box, type the server name, and then click OK .

  3. On the Query menu, click Change Database .

  4. In the Select Database of server_name box, click the configuration database (sts_config), and then click OK .

  5. In the Query pane, type the following query.

    6. 



DECLARE @AdminVSAccount nvarchar(255)DECLARE @ContentVSAccount nvarchar(255)SET @ContentVSAccount = N'domain\contentaccount';SET @AdminVSAccount = N'domain\adminaccount';EXEC sp_grantlogin @ContentVSAccount;EXEC sp_changedbowner @AdminVSAccount;IF NOT EXISTS (SELECT * FROM sysusers WHERE name=@ContentVSAccount) EXEC sp_grantdbaccess @ContentVSAccount;EXEC sp_addrolemember 'db_owner', @ContentVSAccount;EXEC sp_addsrvrolemember @AdminVSAccount, 'dbcreator'EXEC sp_addsrvrolemember @AdminVSAccount, 'securityadmin'



**Note:** In lines 3 and 4, replace *domain\\contentaccount* and *domain\\adminaccount* with the domain account for the content virtual server and the domain account for the SharePoint Central Administration virtual server. If the accounts are the same, SQL Query Analyzer will display an error, but the process will still succeed.



    

  1. Click the Execute Query button to update the database.
    2. 



Change the database ownership and permissions for the content databases


    

  1. On the database server, click Start , point to All Programs , point to Microsoft SQL Server , and then click Query Analyzer .
    

    2. 

  2. In the Connect to SQL Server dialog box, in the SQL Server box, type the server name, and then click OK .
    

    3. 

  3. On the Query menu, click Change Database .
    

    4. 

  4. In the Select Database of server_name box, click the content database you want to update, and then click OK .
    

    5. 

  5. In the Query pane, type the following query.
    

    6. 



DECLARE @AdminVSAccount nvarchar(255)DECLARE @ContentVSAccount nvarchar(255)SET @ContentVSAccount = N'domain\contentaccount';SET @AdminVSAccount = N'domain\adminaccount';EXEC sp_grantlogin @ContentVSAccount;EXEC sp_grantlogin @AdminVSAccount;EXEC sp_changedbowner @AdminVSAccount;IF NOT EXISTS (SELECT * FROM sysusers WHERE name=@ContentVSAccount) EXEC sp_grantdbaccess @ContentVSAccount;EXEC sp_addrolemember 'db_owner', @ContentVSAccount;



**Note:** In lines 3 and 4, replace *domain\\contentaccount* and *domain\\adminaccount* with the domain account for the content virtual server and the domain account for the SharePoint Central Administration virtual server. If the accounts are the same, SQL Query Analyzer will display an error, but the process will still succeed.



    

  1. Click the Execute Query button to update the database.
    2. 



Adding Accounts to the STS_WPG and IIS_WPG Groups and Verifying Permissions


You must add the new accounts to the STS_WPG and IIS_WPG groups on all front-end Web servers in your server farm. These groups control access to the IIS metabase, the SharePoint connection string to SQL Server, and other required directories and files. For more information about adding accounts to groups, see the Help system.


The IIS_WPG group must have Read and Write permissions to the content area of the virtual server. For example, if the content virtual server points to c:\inetpub\wwwroot, you must grant the IIS_WPG group Read and Write permissions to this directory. For more information about granting permissions to directories, see the Help system.


Updating the Application Pools and Synchronizing the SharePoint Timer Service


To change the application pool identity for the SharePoint Central Administration virtual server or for a content virtual server, you use Internet Information Services (IIS) Manager. If you have changed the identity for SharePoint Central Administration, you must also synchronize the SharePoint Timer Service to use the new identity.


Update the SharePoint Central Administration application pool in IIS


    

  1. Click Start , point to All Programs , point to Administrative Tools , and then click Internet Information Services (IIS) Manager .
    

    2. 

  2. Click the plus sign next to your server name.
    

    3. 

  3. Click the plus sign next to Web Sites .
    

    4. 

  4. Right-click SharePoint Central Administration , and then click Properties .
    

    5. 

  5. Click the Home Directory tab.
    

    6. 

  6. Make a note of the application pool name in the Application pool box, and then click Cancel .
    

    7. 

  7. Click the plus sign next to Application Pools .
    

    8. 

  8. Right-click the application pool that needs to be updated, and then click Properties .
    

    9. 

  9. In the "Application Pool ID" Properties dialog box, click the Identity tab.
    

    10. 

  10. Under Application pool identity , verify that Configurable is selected, and then in the User name box, type the new account to use.
    

    11. 

  11. In the Password box, type the password for the new account, and then click OK .
    

    12. 



After you have reset the application pool identity, you must restart IIS. To restart IIS, run iisreset on the command line.


Synchronize the SharePoint Timer Service with the new account information


    

  1. Click Start , point to All Programs , point to Administrative Tools , and then click SharePoint Central Administration .
    

    2. 

  2. On the SharePoint Central Administration page, under Server Configuration , click Configure virtual server for central administration .
    

    3. 

  3. Select Use an existing application pool , and then select the application pool you just updated with the new account for SharePoint Central Administration.
    

    4. 

  4. Click OK .
    

    5. 



After you have reset the application pool identity, you must restart IIS. To restart IIS, run iisreset on the command line.


Update the content virtual server application pool in IIS


    

  1. Click Start , point to All Programs , point to Administrative Tools , and then click Internet Information Services (IIS) Manager .
    

    2. 

  2. Click the plus sign next to your server name.
    

    3. 

  3. Click the plus sign next to Web Sites .
    

    4. 

  4. Right-click the virtual server you need to update, and then click Properties .
    

    5. 

  5. Click the Home Directory tab.
    

    6. 

  6. Make a note of the application pool name in the Application pool box, and then click Cancel .
    

    7. 

  7. Click the plus sign next to Application Pools .
    

    8. 

  8. Right-click the application pool that needs to be updated, and then click Properties .
    

    9. 

  9. In the "Application Pool ID" Properties dialog box, click the Identity tab.
    

    10. 

  10. Under Application pool identity , verify that Configurable is selected, and then in the User name box, type the new account to use.
    

    11. 

  11. In the Password box, type the password for the new account, and then click OK .
    

    12. 



After you have reset the application pool identity, you must restart IIS. To restart IIS, run iisreset on the command line.