It is considered a best practice to ensure the impersonation accounts of the Web Server and Application Server are members of a Windows user group with rights to the map service, in addition to the recommendations made in the Web Server Administration documentation. The impersonation account is used by the application pool worker process, which needs rights to the map service in order for the web mapping application to be displayed.