SessionLimit v2
  • Infrastructure Documents
  • Overview
    • What is SessionLimit
    • FAQs
    • Road Map
    • Licensing
  • Planning
    • POC Requirements
    • Supported Configurations
    • Windows Server Requirements
    • SQL Server Requirements
    • Agent Requirements
      • .Net Framework 4.7.2
    • Other Requirements
    • Network Considerations
    • Design
      • Single Deployment
      • Distributed Deployment
  • Deployment
    • GMSA Account for Application Pool
    • DNS Service Record for Agent Autodiscovery
    • Installing Microsoft SQL Server
    • Internet Information Service Installation
    • .NET Core 8.0 Download and Install
    • .Net Framework 4.7.2 Download and Install
    • HTTPS Certificate
    • Installing SessionLimit 2.0
    • Upgrading SessionLimit
      • Upgrading SessionLimit 2.0.12 to 2.0.13
      • Upgrading SessionLimit 2.0.13 to 2.0.14
      • Upgrading SessionLimit to 2.0.15
      • Upgrading SessionLimit to 2.0.16
      • Upgrading SessionLimit to 2.0.17
      • Upgrading SessionLimit to 2.0.18
      • Upgrading SessionLimit to 2.1
      • Upgrading SessionLimit to 2.1.2
      • Upgrading SessionLimit to 2.1.3
      • Upgrading SessionLimit to 2.1.4
    • First Time Wizard
    • Agent Deployment
  • Managing
    • Logging to SessionLimit 2.0
    • Dashboard (Home)
      • General Dashboard
      • My Dashboard
      • Agents Dashboard
    • Policy
      • Session Protection Policy
      • 2FA Policy
    • Limitations
    • Endpoint Management
      • Users
      • Computers
    • Settings
      • General
        • Server Settings
        • LDAP Settings
        • Notification Settings
          • General Notification
          • E-Mail
          • SMS
        • Syslog Settings
        • Syslog Message Settings
      • Advanced Settings
      • 2FA
      • Agent
    • Events
    • Reports
    • Role Management
    • License Management
      • Online License
    • Syslog
      • Logon Operations
  • Agent
    • Session Control
    • 2FA
  • Tips&Tricks
    • SQL Express Usage
    • Fixing 500.19 web.config error
    • Enable HTTPS Redirection in IIS with HSTS
    • Using GMSA Account in Application Pool
    • Give Database Access for GMSA Account
    • What are the SessionLimit protection states?
    • Securing Windows Server
Powered by GitBook
On this page
  • Domain Controller
  • SessionLimit Server
  • IIS Settings
  1. Deployment

GMSA Account for Application Pool

Scope: SessionLimit 2.0

PreviousDeploymentNextDNS Service Record for Agent Autodiscovery

Last updated 11 months ago

SessionLimit web application operates with the user account defined on the application pool. This account is used for operations such as database connections and LDAP connections. Alternatively, a user account can be used in LDAP connections. However, there are security problems that may arise from using a normal user account or LocalSystem account.

It is recommended to use GMSA, which is safer, in SessionLimit. Below are the steps for creating a GMSA in the Active Directory environment.

Domain Controller

The Powershell screen opens with RunAs Administrator.

  1. Add-KDSRootKey –EffectiveImmediately

  2. New-ADGroup -DisplayName <GroupName> -GroupScope Global -GroupCategory Security -Name <GroupName>

  3. Add-ADGroupMember -Identity <GroupName> -Members <ComputerName$>

  4. New-ADServiceAccount -Name <GMSAAccountName> -DNSHostName <GMSAAccountName>.domain.com -PrincipalsAllowedToRetrieveManagedPassword <GroupName>

If you receive the Key does not exist error in step 4, you must either wait 10 hours or create a key for 10 hours ago with the following command.

Add-KDSRootKey –EffectiveTime (Get-Date).AddHours(-10)

CreateGMSA.ps1
Add-KDSRootKey –EffectiveImmediately
New-ADGroup -DisplayName GMSAComputers -GroupScope Global -GroupCategory Security -Name GMSAComputers 
Add-ADGroupMember -Identity GMSAComputers -Members ComputerName$
New-ADServiceAccount -Name GMSAAccount -DNSHostName GMSAAccount.domain.com -PrincipalsAllowedToRetrieveManagedPassword GMSAComputers

SessionLimit Server

The Powershell screen opens with RunAs Administrator. Also you should install "Active Directory module for Windows PowerShell" to run Active Directory commands.

Membership in the Administrators group is the minimum required to complete this procedure. The computer must be in the Active Directory domain.

  1. Install-ADServiceAccount <GMSAAccountName>$

  2. Test-ADServiceAccount <GMSAAccountName>$

There must be a $ sign at the end of the account name.

If you get "Cannot install service account (Access Denied)" error, when you run the Install-ADServiceAccount command, the following command must be run in the cmd screen opened as administrator, just before the Install-ADServiceAccountcommand.

C:\> klist purge -li 0x3e7

C:\> gpupdate /Force

Install-ADServiceAccount GMSAAccount$
Test-ADServiceAccount GMSAAccount$

A True response is expected to return after the Test-ADServiceAccount command.

IIS Settings

After install SessionLimit Server 2.0, you can change Application Pool Identity IIS Settings.

  1. Open Internet Information Services snap-in on SessionLimit Server,

  2. Go to Application Pools under Server,

  3. Select SessionLimit Application pool and then click Advanced Settings,

  4. Go to Identity property in this list and then click three dot button,

  5. Click Set Button for Custom account,

  6. Write your gmsa account information in user name field. User name format should be like domain\gmsaAccount$.

Membership in the Domain Admins or Enterprise Admins groups, or equivalent, is the minimum required to complete this procedure. For detailed information about using the appropriate accounts and group memberships, see .

Local and Domain Default Groups
Create and Install GMSA Account
Active Directory Module for Windows Powershell
Set GMSA Account