IIS 7 and Above
Group Managed Service Accounts and iis Client Certificate Mapping Aut...
Last post Dec 06, 2018 11:07 AM by GrantCD
Nov 29, 2018 01:25 PM|GrantCD|LINK
Has anyone managed to get this working? I have numerous Group Managed Service Accounts (gMSA) all working well on the server - except when trying to use it as the account for one of my IIS Client Certificate Mappings.
I get Logon failure:
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: myaccount$
Account Domain: mydomain
Failure Reason: Unknown user name or bad password.
Sub Status: 0xC000006A
I've tried Service Accounts that I know work on this machine (for example scheduled tasks and app pools) so it's not a permission to access the gMSA password from machine issue. I've tried setting the username as domain\gMSA$ (as it should be), domain\gMSA,
gMSA$ all in a vain hope that Microsoft did something different. If I use a plain old standard service account (so not gMSA..username and password setup) then it works. I've tried changing the logon type from networkplain to batch but nothing seems to have
an affect. For gMSA I leave the password field blank (as it should be for a gMSA). The error codes would suggest Bad Password, and in the domain the bad password count would suggest that is the case.
Dec 02, 2018 03:51 AM|GrantCD|LINK
Having done some tracing on the Domain I don't think IIS Client Certificate Mappings supports gMSA (I don't think this is a known restriction so is possibly a bug). There is no entries in Directory Services for any failed logon attempts (audit is on for
success and failure and I can see successful gMSA logons in the Directory Service log).
Web Server OS is Windows 2016 Datacenter (not core). .Net framework is 4.7.2 (though I doubt the framework version has little affect on this).
DC is Windows 2012 at 2012 functional level for the AD.
Dec 06, 2018 08:59 AM|DevPreSupport_MSFT|LINK
I build IIS Client Certificate Mappings environment. It works fine if using domain account too. And It will also work fine if using gMSA account as Application pool account. However it will give below error if using gMSA account in iisClientCertificateMappingAuthentication
I would suggest you submit this request at this address: https://windowsserver.uservoice.com/forums/310252-iis-and-web-server-role. IIS product team will give more expert
support to you.
Dec 06, 2018 11:07 AM|GrantCD|LINK
Thanks - good to confirm that others have the same issue.
With netlogon tracing on at the Domain Level I can see that for other gMSA accounts the server asks for the password from the domain, but not doing this for Client Cert Mappings so I've summarised that there is a bug in this area\M$ forgot to make cert mappings
work with gMSA.
It's not an area that M$ have given much love to (I do things in PoSH but lack of helpful GUI is not great, especially if doing One to One mappings) so I'm not really that suprised.