Server 2008r2: use Managed Service Accounts in IIS - walkthrough

Well, here is my first blog entry :)

Server 2008r2 (and Windows 7) introduced Managed Service Accounts and Virtual Accounts. In this first blog I briefly walk through the process of using a Managed Service Account (MSA from now on) in IIS application pools. Sure, you can use MSA's in more scenario's, but hey, let's start with the basics, right?

The advantage of using an MSA is that you don't need to worry about passwords and password changes anymore. As soon as you configure an MSA (e.g. in IIS), the service will set a password in the AD MSA object and will also change it's secrets every 30 days from now on.

Demo environment

For this demo I use a single Server 2008r2 Domain Controller who is also the IIS server, but you can use this example on a member server IIS installation also. The Domain and Forest Functional Levels are 2008r2.

Step 1: Prerequisites

The server (or windows 7 client) that will use the MSA needs KB 2494158 (Managed service account authentication fails after its password is changed in Windows 7 or in Windows Server 2008 R2) to be installed.
Get it here:  KB2494158

You need .NET Framework 3.5 installed on your server, you can do this in Server Manager, under Features. If you use Windows 7, you can download Remote Server Administration Tools (RSAT) here: RSAT
After you installed RSAT, go to Start, then Control Panel.
Click on Programs, then Programs and Features.
And then in the left pane, click Turn Windows Features on or off.
Select Microsoft .NET Framework 3.5.1.
Expand Remote Server Administration Tools, AD DS and AD LDS Tools.
Select Active Directory PowerShell Snap-in.
Restart the computer.

Step 2: PowerShell

MSA's can only be created (the correct way) through PowerShell. For this you need the ActiveDirectory add-on module loaded. Since I'm working on my DC, it's a simple load command. If you need the module on your non-DC server, add it in Server Manager under Features, RSAT (see Step 1).

Now it's time to start Powershell.

Enter the following command:

import-module ActiveDirectory

After the module is loaded, we are going to create our first MSA. I will keep the command as simple as possible, which causes the object to be created in the default folder in Active Directory: Managed Service Accounts.

 Let's type this command:

new-ADServiceAccount DSAtest -enabled $true

Check ADUC to see the newly created object:

This account is still unusable though. It needs to be installed on the computer that will use this MSA, in our case the IIS server. You can install an MSA on one machine only! (In the next Server release (currently Server 8 Developer Preview) there will be group MSA's that can be used on multiple hosts (e.g. in cluster environments)) Since I use for this demo the same server for IIS, I'll add it right here with this command:


install-ADServiceAccount -id DSAtest

The password is empty. As soon as we're going to use this MSA with an IIS Application Pool, it will set a password all by itself :)

Step 3: IIS

Let's switch to IIS:

As you can see I only have one Application Pool on this server. On the right side of the screen, you notice the Action Pane. Look for the option Advanced Settings and click on it.

On the Advanced Settings window, look for Identity and click on the small gray button on the right of this setting. Then click on the button Set...

As you can see I entered the username in the form of: <domain>\<serviceaccountname>$ and for me it's the name: dufour\DSAtest$
The MSA object's SAMAccountName property has a value named DSAtest$, that's why you need to add the $ sign.

Click op OK, OK and OK to save this setting.

Now, stop and start the Application Pool and test if it works. If the pool does not want to start, try to reset the password like this and then start the application pool again:

Reset-ADServiceAccountPassword -id DSAtest

I hope you enjoyed my very first blog! Feel free to comment here and have fun with MSA's!!!

Marco