GMSA Account for Application Pool

Scope: SessionLimit 2.0

Create and Install GMSA Account

SessionLimit web application operates with the user account defined on the application pool. This account is used for operations such as database connections and LDAP connections. Alternatively, a user account can be used in LDAP connections. However, there are security problems that may arise from using a normal user account or LocalSystem account.

It is recommended to use GMSA, which is safer, in SessionLimit. Below are the steps for creating a GMSA in the Active Directory environment.

Domain Controller

The Powershell screen opens with RunAs Administrator.

  1. Add-KDSRootKey –EffectiveImmediately

  2. New-ADGroup -DisplayName <GroupName> -GroupScope Global -GroupCategory Security -Name <GroupName>

  3. Add-ADGroupMember -Identity <GroupName> -Members <ComputerName$>

  4. New-ADServiceAccount -Name <GMSAAccountName> -DNSHostName <GMSAAccountName>.domain.com -PrincipalsAllowedToRetrieveManagedPassword <GroupName>

CreateGMSA.ps1
Add-KDSRootKey –EffectiveImmediately
New-ADGroup -DisplayName GMSAComputers -GroupScope Global -GroupCategory Security -Name GMSAComputers 
Add-ADGroupMember -Identity GMSAComputers -Members ComputerName$
New-ADServiceAccount -Name GMSAAccount -DNSHostName GMSAAccount.domain.com -PrincipalsAllowedToRetrieveManagedPassword GMSAComputers

SessionLimit Server

The Powershell screen opens with RunAs Administrator. Also you should install "Active Directory module for Windows PowerShell" to run Active Directory commands.

Active Directory Module for Windows Powershell
  1. Install-ADServiceAccount <GMSAAccountName>$

  2. Test-ADServiceAccount <GMSAAccountName>$

Install-ADServiceAccount GMSAAccount$
Test-ADServiceAccount GMSAAccount$

A True response is expected to return after the Test-ADServiceAccount command.

IIS Settings

After install SessionLimit Server 2.0, you can change Application Pool Identity IIS Settings.

  1. Open Internet Information Services snap-in on SessionLimit Server,

  2. Go to Application Pools under Server,

  3. Select SessionLimit Application pool and then click Advanced Settings,

  4. Go to Identity property in this list and then click three dot button,

  5. Click Set Button for Custom account,

  6. Write your gmsa account information in user name field. User name format should be like domain\gmsaAccount$.

Set GMSA Account

Last updated