# GMSA Account for Application Pool {% embed url="" %} Create and Install GMSA Account {% endembed %} SessionLimit web application operates with the user account defined on the application pool. This account is used for operations such as database connections and LDAP connections. Alternatively, a user account can be used in LDAP connections. However, there are security problems that may arise from using a normal user account or LocalSystem account. It is recommended to use GMSA, which is safer, in SessionLimit. Below are the steps for creating a GMSA in the Active Directory environment. ## Domain Controller The Powershell screen opens with RunAs Administrator. {% hint style="warning" %} Membership in the **Domain Admins** or **Enterprise Admins** groups, or equivalent, is the minimum required to complete this procedure. For detailed information about using the appropriate accounts and group memberships, see [Local and Domain Default Groups](https://learn.microsoft.com/en-us/previous-versions/orphan-topics/ws.10/dd728026$v=ws.10$). {% endhint %} 1. Add-KDSRootKey –EffectiveImmediately 2. New-ADGroup -DisplayName ***\*** -GroupScope Global -GroupCategory Security -Name ***\*** 3. Add-ADGroupMember -Identity ***\*** -Members **\** 4. New-ADServiceAccount -Name ***\*** -DNSHostName ***\.domain.com*** -PrincipalsAllowedToRetrieveManagedPassword ***\*** {% hint style="danger" %} If you receive the Key does not exist error in step 4, you must either wait 10 hours or create a key for 10 hours ago with the following command. Add-KDSRootKey –EffectiveTime (Get-Date).AddHours(-10) {% endhint %} {% code title="CreateGMSA.ps1" overflow="wrap" lineNumbers="true" %} ```powershell Add-KDSRootKey –EffectiveImmediately New-ADGroup -DisplayName GMSAComputers -GroupScope Global -GroupCategory Security -Name GMSAComputers Add-ADGroupMember -Identity GMSAComputers -Members ComputerName$ New-ADServiceAccount -Name GMSAAccount -DNSHostName GMSAAccount.domain.com -PrincipalsAllowedToRetrieveManagedPassword GMSAComputers ``` {% endcode %} ## SessionLimit Server The Powershell screen opens with RunAs Administrator. Also you should install "Active Directory module for Windows PowerShell" to run Active Directory commands.

Active Directory Module for Windows Powershell

{% hint style="warning" %} Membership in the **Administrators** group is the minimum required to complete this procedure. The computer must be in the Active Directory domain. {% endhint %} 1. Install-ADServiceAccount ***\$*** 2. Test-ADServiceAccount ***\$*** {% hint style="warning" %} There must be a **$** sign at the end of the account name. {% endhint %} {% hint style="danger" %} If you get "*Cannot install service account (Access Denied)*" error, when you run the **Install-ADServiceAccount** command, the following command must be run in the cmd screen opened as administrator, just before the **Install-ADServiceAccount**command. C:\\> klist purge -li 0x3e7 C:\\> gpupdate /Force {% endhint %} ```powershell Install-ADServiceAccount GMSAAccount$ Test-ADServiceAccount GMSAAccount$ ``` A True response is expected to return after the Test-ADServiceAccount command. ## IIS Settings After install SessionLimit Server 2.0, you can change Application Pool Identity IIS Settings. 1. Open **Internet Information Services** snap-in on **SessionLimit Server**, 2. Go to **Application Pools** under Server, 3. Select **SessionLimit** Application pool and then click **Advanced Settings**, 4. Go to **Identity** property in this list and then click three dot button, 5. Click **Set Button** for **Custom** account, 6. Write your gmsa account information in **user name** field. User name format should be like **domain\gmsaAccount$**.