Topic Last Modified: 2009-02-02
The Microsoft Exchange Server Best Practices Analyzer parses the roles that are running on an Exchange Server 2007-based computer together with the Internet Information Services (IIS) application pools that are used on the server.
The Best Practices Analyzer uses the results of the examination to determine whether the application pools under which each Exchange-related Web application runs are configured to run under the local System account.
If an application pool is not configured to run under the local System account, the Best Practices Analyzer generates the following error message:
Application pool '<ApplicationPoolName>' on server '<ServerName>' is configured to run under the wrong identity. '<ApplicationPoolName>' should run under the 'Local System' identity. |
IIS uses application pools to separate Web applications and Web sites. Each application pool is served by a worker process or by a set of worker processes. Each worker process operates as a separate instance. The worker process for one application pool is separate from worker processes for other application pools. Therefore, separating Web applications and Web sites into different application pools helps increase reliability and security.
Exchange 2007 requires the following application pools to run under the local System account:
- MSExchangeAutodiscoverAppPool
- MSExchangeOWAAppPool
- MSExchangeServicesAppPool
- MSExchangeSyncAppPool
- MSExchangeUMAppPool
This is to make sure that each Web application runs under an account that has the appropriate rights to access the server. To address this issue, configure the Exchange-related application pools to run under the local System account.
To modify an application pool in Windows Server 2008-
Start the Internet Information Services (IIS) Manager MMC snap-in.
-
Expand the computer, and then click Application Pools.
-
In the Application Pools pane, examine the entries in the Identity column to determine which identity each application pool uses.
-
Click an application pool, such as MSExchangeOWAAppPool, and then click Advanced Settings in the details pane.
-
In the Process Model section, click Identity, and then click the ellipsis button (…).
-
In the Application Pool Identity dialog box, click Built-in account, click LocalSystem in the Built-in account list, and then click OK.
Note: Do not unintentionally click LocalService in the Built-in account list. -
Follow steps 4 through 6 for any other Exchange-related application pools that you want to modify.
-
Click OK, and then reset IIS. To do this, run the iisreset /noforce command from a command prompt.
-
Start the Internet Information Services (IIS) Manager MMC snap-in.
-
Expand the computer, and then click Application Pools.
-
Right-click an application pool, such as MSExchangeOWAAppPool, and then click Properties.
-
Click the Identity tab, and then click Predefined.
-
In the Predefined list, click Local System, and then click OK.
-
In the confirmation message that appears, click Yes to confirm that you want to run the application pool as the local System account.
-
Follow steps 3 through 6 for any other Exchange-related application pools that you want to modify.
-
Reset IIS. To do this, run the iisreset /noforce command from a command prompt.