GMSA Account for Application Pool

Scope: SessionLimit 2.0

SessionLimit web application operates with the user account defined on the application pool. This account is used for operations such as database connections and LDAP connections. Alternatively, a user account can be used in LDAP connections. However, there are security problems that may arise from using a normal user account or LocalSystem account.

It is recommended to use GMSA, which is safer, in SessionLimit. Below are the steps for creating a GMSA in the Active Directory environment.

Domain Controller

The Powershell screen opens with RunAs Administrator.

Membership in the Domain Admins or Enterprise Admins groups, or equivalent, is the minimum required to complete this procedure. For detailed information about using the appropriate accounts and group memberships, see Local and Domain Default Groups.

  1. Add-KDSRootKey –EffectiveImmediately

  2. New-ADGroup -DisplayName <GroupName> -GroupScope Global -GroupCategory Security -Name <GroupName>

  3. Add-ADGroupMember -Identity <GroupName> -Members <ComputerName$>

  4. New-ADServiceAccount -Name <GMSAAccountName> -DNSHostName <GMSAAccountName>.domain.com -PrincipalsAllowedToRetrieveManagedPassword <GroupName>

If you receive the Key does not exist error in step 4, you must either wait 10 hours or create a key for 10 hours ago with the following command.

Add-KDSRootKey –EffectiveTime (Get-Date).AddHours(-10)

CreateGMSA.ps1
Add-KDSRootKey –EffectiveImmediately
New-ADGroup -DisplayName GMSAComputers -GroupScope Global -GroupCategory Security -Name GMSAComputers 
Add-ADGroupMember -Identity GMSAComputers -Members ComputerName$
New-ADServiceAccount -Name GMSAAccount -DNSHostName GMSAAccount.domain.com -PrincipalsAllowedToRetrieveManagedPassword GMSAComputers

SessionLimit Server

The Powershell screen opens with RunAs Administrator. Also you should install "Active Directory module for Windows PowerShell" to run Active Directory commands.

Membership in the Administrators group is the minimum required to complete this procedure. The computer must be in the Active Directory domain.

  1. Install-ADServiceAccount <GMSAAccountName>$

  2. Test-ADServiceAccount <GMSAAccountName>$

There must be a $ sign at the end of the account name.

If you get "Cannot install service account (Access Denied)" error, when you run the Install-ADServiceAccount command, the following command must be run in the cmd screen opened as administrator, just before the Install-ADServiceAccountcommand.

C:\> klist purge -li 0x3e7

C:\> gpupdate /Force

Install-ADServiceAccount GMSAAccount$
Test-ADServiceAccount GMSAAccount$

A True response is expected to return after the Test-ADServiceAccount command.

IIS Settings

After install SessionLimit Server 2.0, you can change Application Pool Identity IIS Settings.

  1. Open Internet Information Services snap-in on SessionLimit Server,

  2. Go to Application Pools under Server,

  3. Select SessionLimit Application pool and then click Advanced Settings,

  4. Go to Identity property in this list and then click three dot button,

  5. Click Set Button for Custom account,

  6. Write your gmsa account information in user name field. User name format should be like domain\gmsaAccount$.

PreviousDeploymentNextDNS Service Record for Agent Autodiscovery

Last updated