asp.netpowershelliisactive-directoryactive-directory-group

IIS App pool wont start under group managed service account


I'm trying to run a windows service and an IIS website under the same active directory Group Managed Service Account SomeServiceAccount.

I've got 2 servers App and Web. I've made a group called SomeGroup, added App and Web with the command Add-ADGroupMember "SomeGroup" -Members (Get-ADComputer "App") and Add-ADGroupMember "SomeGroup" -Members (Get-ADComputer "Web")

Restarted both the machines to make sure they are part of the group

Ran the command on the domain controller New-ADServiceAccount -Name SomeServiceAccount -Enabled $true -DNSHostName domain-controller -PrincipalsAllowedToRetrieveManagedPassword "SomeGroup"

Went to both machines and ran Set-AdServiceAccount SomeServiceAccount

Started up windows service on App machine with the user SOMEDOMAIN\SomeServiceAccount$ and no password and it starts up OK

Went to Web machine, assigned the app pool identity to be as above. Hit the site and the app pool stops.

In the event logs there is an error: Application pool SomePool has been disabled. Windows Process Activation Service (WAS) encountered a failure when it started a worker process to serve the application pool.

and two warnings next to it with

Application pool SomePool has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.

and

The identity of application pool SomePool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.

The service runs but the website 503s and stops the app pool when I go to the site. I've changed the permissions of the site to allow the service account to access it.

Anyone got any ideas? I'd really like to be able to use a GMSA instead of a normal domain account to run this under


Solution

  • Make sure you have the Service Account added to the users for Allow Logon As Batch setting on the server(s) running the app pool?

    https://www.brooksnet.com/faq/granting-logon-as-batch-privilege

    (run secpol.msc as administrator and add the account to the "Local Policies\User Rights Assignment\Log on as a batch job")

    enter image description here