IIS 应用程序池不会在组托管服务帐户下启动
IIS App pool wont start under group managed service account
我正在尝试 运行 windows 服务和 IIS 网站在同一活动目录组托管服务帐户 SomeServiceAccount 下。
我有 2 台服务器 App 和 Web。
我创建了一个名为 SomeGroup 的组,使用命令添加了 App 和 Web
Add-ADGroupMember "SomeGroup" -Members (Get-ADComputer "App") 和 Add-ADGroupMember "SomeGroup" -Members (Get-ADComputer "Web")
重新启动两台机器以确保它们是组的一部分
运行域控制器上的命令
New-ADServiceAccount -Name SomeServiceAccount -Enabled $true -DNSHostName 域控制器 -PrincipalsAllowedToRetrieveManagedPassword "SomeGroup"
两台机器都去了 运行 Set-AdServiceAccount SomeServiceAccount
使用用户 SOMEDOMAIN\SomeServiceAccount$ 在 App 机器上启动 windows 服务,没有密码,它启动正常
转到 Web 机器,分配应用程序池身份如上。
点击该站点,应用程序池停止。
事件日志中有一个错误:
Application pool SomePool has been disabled. Windows Process Activation Service (WAS) encountered a failure when it started a worker process to serve the application pool.
旁边有两个警告
Application pool SomePool has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.
和
The identity of application pool SomePool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.
服务 运行s 但网站 503s 并在我访问该网站时停止应用程序池。
我已经更改了站点的权限以允许服务帐户访问它。
有人有什么想法吗?我真的很想能够使用 GMSA 而不是普通域帐户来 运行
确保您已将服务帐户添加到用户,以便在服务器上设置“允许批处理登录”运行 应用程序池?
https://www.brooksnet.com/faq/granting-logon-as-batch-privilege
用户需要上述权限,有一个公司定义的组,我需要将其添加到。
我正在尝试 运行 windows 服务和 IIS 网站在同一活动目录组托管服务帐户 SomeServiceAccount 下。
我有 2 台服务器 App 和 Web。
我创建了一个名为 SomeGroup 的组,使用命令添加了 App 和 Web
Add-ADGroupMember "SomeGroup" -Members (Get-ADComputer "App") 和 Add-ADGroupMember "SomeGroup" -Members (Get-ADComputer "Web")
重新启动两台机器以确保它们是组的一部分
运行域控制器上的命令 New-ADServiceAccount -Name SomeServiceAccount -Enabled $true -DNSHostName 域控制器 -PrincipalsAllowedToRetrieveManagedPassword "SomeGroup"
两台机器都去了 运行 Set-AdServiceAccount SomeServiceAccount
使用用户 SOMEDOMAIN\SomeServiceAccount$ 在 App 机器上启动 windows 服务,没有密码,它启动正常
转到 Web 机器,分配应用程序池身份如上。
点击该站点,应用程序池停止。
事件日志中有一个错误:
Application pool SomePool has been disabled. Windows Process Activation Service (WAS) encountered a failure when it started a worker process to serve the application pool.
旁边有两个警告
Application pool SomePool has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.
和
The identity of application pool SomePool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.
服务 运行s 但网站 503s 并在我访问该网站时停止应用程序池。 我已经更改了站点的权限以允许服务帐户访问它。
有人有什么想法吗?我真的很想能够使用 GMSA 而不是普通域帐户来 运行
确保您已将服务帐户添加到用户,以便在服务器上设置“允许批处理登录”运行 应用程序池?
https://www.brooksnet.com/faq/granting-logon-as-batch-privilege
用户需要上述权限,有一个公司定义的组,我需要将其添加到。