IIS 7 and Above
Group Managed Service Account for IIS AppPool or Virtual Directory No...
Last post Apr 11, 2018 11:52 AM by rhartsfield
Apr 10, 2018 03:25 PM|tavis___|LINK
I've created a gMSA account in AD and we are trying to use it on either an App Pool in IIS8 or a Virtual Directory. The server is 2012 R2. The gMSA account is setup and working as it should, because it is working on another service.
The permissions on the shared folder have the specific gMSA account with read access and we even tried Full Control. But we continue to get a 401 unauthorized error when attempting browse to the file no matter what we try.
We have tried using the gMSA account on the Virtual Directory, but that doesn't work because it requires you to input a password.
We tried putting it on the App Pool but then we get the 401 unauthorized error. I looked at the Security event log on the file server side and it showed the account logged on, accessed the file, and logged off, but no failure.
We have tried running the IISAdmin service account using the gMSA account, but it will not start (error 1297 and/or 5010).
Is this even possible to use a gMSA account within IIS?
Apr 10, 2018 04:15 PM|lextm|LINK
But we continue to get a 401 unauthorized error when attempting browse to the file no matter what we try.
What is the authentication method used by the web site? Besides, what is the sub status of such 401?
While others successfully use gMSA, you need to be patient and dig further into the errors.
Apr 10, 2018 05:39 PM|tavis___|LINK
Ran a curl -l against a test text file on the site to see if we could access it. Results:
HTTP/1.1 401 Unauthorized
Date: Tue, 10 Apr 2018 17:20:13 GMT
As for the authentication method, it is set to Anonymous Authentication - Enabled. That is the only one enabled.
Apr 10, 2018 08:47 PM|lextm|LINK
I pasted a link in my previous comment. You have to read IIS log files to know the sub status, which is not in the response.
Apr 11, 2018 06:49 AM|Yuk Ding|LINK
I remembered the managed service account is mainly used for sql server service account. Few of people use it for IIS application identity or application pool identity. Not sure if it is working in IIS.
I assume you get 401.2 or 401.3 because the managed service account don't have enough permission to access the application. So please grant the managed account with enough read/write NTFS permission to the root folder of your website. Sometimes IIS will
require the permission for temp folder.
So please check the accurate substastus in IIS log as lex said. 401.1 401.2 means different error.
Secondly, there is a fantasic tool to help you troubleshooting the NTFS permission which is called process monitor. You could add a filter to w3wp.exe. Then if you see the error like 'access is denied' then you should know where to grant the permission.
Apr 11, 2018 11:52 AM|rhartsfield|LINK
The service account did have all the correct permissions on the file server side and the event logs indicated that user was being used to access the share... but I'm not sure that is entirely true.
The substatus was indeed 3 (401.3). Thank you, Lextm. The substatus led to the Anonymous user identity setting. It was IUSR of course. We tried giving IUSR the appropriate permission but it didn't change anything.
Since the app pool was running as the GMSA, we changed the Anonymous user identity to "Application pool identity" and that seems to have resolved the problem.
Thanks for the help getting there.