Internet Information Services
Microsoft web server software.
1,590 questions
See
https://hansstan.wordpress.com/2017/07/05/using-group-managed-service-accounts-with-iis/
How to set gMSA account in physical path credentials property
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 64%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
michal kavi rajan
6
Reputation points
Trying to setup classic ASP application in IIS 10. Anonymous Authentication is disabled. Windows Authentication is enabled. This application is currently running using normal service account. Wanted to change it to gMSA account for better password mangement.
As the application is using windows based authentication, the service account is configured for IIS app pool and physical path property for the SQL connection from application to work.
I am able to configure gMSA account for app pool without password. However while setting the gMSA account in physical path property getting error as password is invalid , invalid user id.
Is it possible to use gMSA account for IIS physical path property?
If Yes, how to set it up?
{count} vote
-
Lex Li (Microsoft) 4,742 Reputation points Microsoft Employee2024-03-08T23:40:48.75+00:00 By setting the application pool identity to a dedicated service account, external resource access will go through that account as well.
Why do you need to also override the physical path setting? Do you want to configure another service account for external resource access?
Sign in to comment
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bruce (SqlWork.com) 56,851 Reputation points2021-12-04T18:08:13.577+00:00 -
michal kavi rajan 6 Reputation points
2021-12-07T04:26:48.33+00:00 I am able to configure gMSA account for IIS app pool as mentioned in the article. However , I am trying to setup classic ASP application using windows Authentication. This classic ASP application is not using the app pool identity to connect to database instead it connects using NT Authority\Anonymous logon. So I have to configure the gMSA account in the physical path credentials for connecting to database using gMSA account
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 24%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
Sam Wu-MSFT 7,036 Reputation points Microsoft Vendor2021-12-08T02:22:45.3+00:00 @michal kavi rajan Has your problem been solved?
-
michal kavi rajan 6 Reputation points
2021-12-08T02:34:23.787+00:00 No, still not find answer to set gMSA account in physical path credentials property
-
Sam Wu-MSFT 7,036 Reputation points Microsoft Vendor
2021-12-08T02:56:16.9+00:00 @michal kavi rajan I suggest you open a case via: https://support.microsoft.com, there will be senior experts helping you.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 82%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBW%3C/text%3E%3C/svg%3E)
Brian Webb-xa 0 Reputation points2024-03-08T23:01:41+00:00 Just posting this here in case anyone else runs into this issue. Within IIS, gMSAs are only allowed to run as app pool identities. It's stated in their documentation:
With Windows Server 2012, services or service administrators do not need to manage password synchronization between service instances when using group Managed Service Accounts (gMSA). You provision the gMSA in AD and then configure the service which supports Managed Service Accounts. Use of the gMSA is scoped to any machine that is able to use LDAP to retrieve the gMSA's credentials. You can provision a gMSA using the *-ADServiceAccount cmdlets which are part of the Active Directory module. Service identity configuration on the host is supported by:
- Same APIs as sMSA, so products which support sMSA will support gMSA
- Services which use Service Control Manager to configure logon identity
- Services which use the IIS manager for application pools to configure identity
- Tasks using Task Scheduler.