GMSA Account for Application Pool

The ARK2FA web application runs using the user account defined in the application pool. This account is used for operations such as database connections and LDAP connections. Using a regular user account or the LocalSystem account can create security vulnerabilities.

For ARK2FA, it is strongly recommended to use a more secure option — the GMSA (Group Managed Service Account). Below are the steps for creating a GMSA in an Active Directory environment.

Domain Controller

Open the PowerShell window using "Run as Administrator".

Warning: Membership in at least the Domain Admins or Enterprise Admins groups is required to complete this procedure.

Create the KDS Root Key. This command only needs to be run once in the domain. To eliminate the default 10-hour delay before the key becomes active, use the following command:

Add-KDSRootKey –EffectiveTime (Get-Date).AddHours(-10)

Create a new GMSA account and authorize the ARK2FA server (TEST-SRV) to directly retrieve the managed password for this account:

New-ADServiceAccount -Name "ARK2FA-Svc" -DNSHostName "ark2fa.domain.com" -PrincipalsAllowedToRetrieveManagedPassword "TEST-SRV01$"

PowerShell

Add-KDSRootKey –EffectiveTime (Get-Date).AddHours(-10)
New-ADServiceAccount -Name "ARK2FA-Svc" -DNSHostName "ark2fa.domain.com" -PrincipalsAllowedToRetrieveManagedPassword "TEST-SRV01$"

ARK2FA Server (TEST-SRV)

Open the PowerShell window using "Run as Administrator". Additionally, you may need to install the "Active Directory module for Windows PowerShell" feature in order to run Active Directory commands.

Warning: Membership in the Administrators (Local Administrators) group is required to complete this procedure. The computer must be joined to an Active Directory domain.

Install-ADServiceAccount "ARK2FA-Svc$"
Test-ADServiceAccount "ARK2FA-Svc$"

Note: The account name must end with the $ sign.

Danger: If you receive the error message "Cannot install service account (Access Denied)" while running the Install-ADServiceAccount command, you need to execute the following commands in an elevated CMD window (Run as Administrator) before running the PowerShell commands:

C:\> klist purge -li 0x3e7
C:\> gpupdate /Force

Then, in PowerShell, run:

Install-ADServiceAccount ARK2FA-Svc$
Test-ADServiceAccount ARK2FA-Svc$

After running the Test-ADServiceAccount command, the expected response is True.

IIS Settings

After completing the installation using the ARK2FA “First Time Wizard” (FTW) — which sets the application pool to LocalSystem by default — you can change the Application Pool Identity to the GMSA account.

On the TEST-SRV01 server, open Internet Information Services (IIS) Manager.
Navigate to the Application Pools section under your server name.
Select the ARK2FA application pool and click Advanced Settings...
In the list, find the Identity property and click the […] button next to it.
Choose Custom account, then click Set...
In the User name field, enter your GMSA account name in the following format:
```
domain\ARK2FA-Svc$
```
Leave the password fields empty.

SQL Server Permissions

After changing the IIS Application Pool identity to the GMSA account, the new account (ARK2FA-Svc$) needs permission to access the SQL database.

Open SQL Server Management Studio (SSMS) and connect to your database (e.g., localhost or TEST-SRV01).
To grant the GMSA account db_owner privileges on the database, execute the following SQL script:

USE [master]
GO
CREATE LOGIN [domain\ARK2FA-Svc$] FROM WINDOWS WITH DEFAULT_DATABASE=[master]
GO
USE [ARK2FA]
GO
ALTER AUTHORIZATION ON SCHEMA::[db_owner] TO [domain\ARK2FA-Svc$]
GO

This ensures that the ARK2FA-Svc$ account has the necessary rights to manage and access the ARK2FA database securely.

PreviousSection 3: Enabling AD FS Custom Theme NextUser Guide

Last updated 21 days ago