Menu
I'm trying to run a windows service and an IIS website under the same active directory Group Managed Service Account SomeServiceAccount.
I've got 2 servers App and Web.
I've made a group called SomeGroup, added App and Web with the command
Add-ADGroupMember "SomeGroup" -Members (Get-ADComputer "App") and Add-ADGroupMember "SomeGroup" -Members (Get-ADComputer "Web")
Restarted both the machines to make sure they are part of the group
Ran the command on the domain controller New-ADServiceAccount -Name SomeServiceAccount -Enabled $true -DNSHostName domain-controller -PrincipalsAllowedToRetrieveManagedPassword "SomeGroup"
Went to both machines and ran Set-AdServiceAccount SomeServiceAccount
Started up windows service on App machine with the user SOMEDOMAIN\SomeServiceAccount$ and no password and it starts up OK
Went to Web machine, assigned the app pool identity to be as above.
Hit the site and the app pool stops.
In the event logs there is an error:
Application pool SomePool has been disabled. Windows Process Activation Service (WAS) encountered a failure when it started a worker process to serve the application pool.
and two warnings next to it with
Application pool SomePool has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.
and
The identity of application pool SomePool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.
The service runs but the website 503s and stops the app pool when I go to the site. I've changed the permissions of the site to allow the service account to access it.
Anyone got any ideas? I'd really like to be able to use a GMSA instead of a normal domain account to run this under
799
This issue occurs when the IIS application pool Identity Parameter is not set to NetworkService. To resolve this issue, change the Identity parameter to NetworkService in the IIS Manager for Windows Server: Select the Advanced Settings for the DefaultAppPool.
Configuring Auto-Start with IIS Manager In the Connections pane, select the Application Pools node, revealing the Application Pools pane in the main view. Select the application pool for which you wish to enable Auto-Start. Locate the Start Mode option under the General group and set it to AlwaysRunning. Click OK.
Application Pool Identity Accounts Worker processes in IIS 6.0 and in IIS 7 run as Network Service by default. Network Service is a built-in Windows identity. It doesn't require a password and has only user privileges; that is, it is relatively low-privileged.
Stopping a site does not stop the application pool associated with the site. In fact the worker process serving the site still exists and the code loaded in the worker process still exists.
Make sure you have the Service Account added to the users for Allow Logon As Batch setting on the server(s) running the app pool?
https://www.brooksnet.com/faq/granting-logon-as-batch-privilege
108
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
