# GMSA Account for Application Pool

{% embed url="<https://www.youtube.com/watch?v=O6s91txW42c>" %}
Create and Install GMSA Account
{% endembed %}

SessionLimit web application operates with the user account defined on the application pool. This account is used for operations such as database connections and LDAP connections. Alternatively, a user account can be used in LDAP connections. However, there are security problems that may arise from using a normal user account or LocalSystem account.

It is recommended to use GMSA, which is safer, in SessionLimit. Below are the steps for creating a GMSA in the Active Directory environment.

## Domain Controller

The Powershell screen opens with RunAs Administrator.

{% hint style="warning" %}
Membership in the **Domain Admins** or **Enterprise Admins** groups, or equivalent, is the minimum required to complete this procedure. For detailed information about using the appropriate accounts and group memberships, see [Local and Domain Default Groups](https://learn.microsoft.com/en-us/previous-versions/orphan-topics/ws.10/dd728026\(v=ws.10\)).
{% endhint %}

1. Add-KDSRootKey –EffectiveImmediately
2. New-ADGroup -DisplayName ***\<GroupName>*** -GroupScope Global -GroupCategory Security -Name ***\<GroupName>***
3. Add-ADGroupMember -Identity ***\<GroupName>*** -Members **\<ComputerName$>**
4. New-ADServiceAccount -Name ***\<GMSAAccountName>*** -DNSHostName ***\<GMSAAccountName>.domain.com*** -PrincipalsAllowedToRetrieveManagedPassword ***\<GroupName>***

{% hint style="danger" %}
If you receive the Key does not exist error in step 4, you must either wait 10 hours or create a key for 10 hours ago with the following command.

Add-KDSRootKey –EffectiveTime (Get-Date).AddHours(-10)
{% endhint %}

{% code title="CreateGMSA.ps1" overflow="wrap" lineNumbers="true" %}

```powershell
Add-KDSRootKey –EffectiveImmediately
New-ADGroup -DisplayName GMSAComputers -GroupScope Global -GroupCategory Security -Name GMSAComputers 
Add-ADGroupMember -Identity GMSAComputers -Members ComputerName$
New-ADServiceAccount -Name GMSAAccount -DNSHostName GMSAAccount.domain.com -PrincipalsAllowedToRetrieveManagedPassword GMSAComputers
```

{% endcode %}

## SessionLimit Server

The Powershell screen opens with RunAs Administrator. Also you should install "Active Directory module for Windows PowerShell" to run Active Directory commands.

<figure><img src="/files/jY71ZZYZ295D46MBmHwM" alt=""><figcaption><p>Active Directory Module for Windows Powershell</p></figcaption></figure>

{% hint style="warning" %}
Membership in the **Administrators** group is the minimum required to complete this procedure. The computer must be in the Active Directory domain.
{% endhint %}

1. Install-ADServiceAccount ***\<GMSAAccountName>$***
2. Test-ADServiceAccount ***\<GMSAAccountName>$***

{% hint style="warning" %}
There must be a **$** sign at the end of the account name.
{% endhint %}

{% hint style="danger" %}
If you get "*Cannot install service account (Access Denied)*" error, when you run the **Install-ADServiceAccount** command, the following command must be run in the cmd screen opened as administrator, just before the **Install-ADServiceAccount**command.

C:\\> klist purge -li 0x3e7

C:\\> gpupdate /Force
{% endhint %}

```powershell
Install-ADServiceAccount GMSAAccount$
Test-ADServiceAccount GMSAAccount$
```

A True response is expected to return after the Test-ADServiceAccount command.

## IIS Settings

After install SessionLimit Server 2.0, you can change Application Pool Identity IIS Settings.&#x20;

1. Open **Internet Information Services** snap-in on **SessionLimit Server**,
2. Go to **Application Pools** under Server,
3. Select **SessionLimit** Application pool and then click **Advanced Settings**,
4. Go to **Identity** property in this list and then click three dot button,
5. Click **Set Button** for **Custom** account,
6. Write your gmsa account information in **user name** field. User name format should be like **domain\gmsaAccount$**.

<figure><img src="/files/uVvsTF94hzHW4qHI2Al8" alt=""><figcaption><p>Set GMSA Account</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sessionlimit.com/deployment/gmsa-account-for-application-pool.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.