Shared configuration with group managed service account

Question

User552157522 posted

I'm working to use group managed service accounts where possible.  Generally it's great, application pools are happy and everything runs fine on one server.  I'm trying to implement shared configuration and running into issues.  I created a gmsa, installed it on the server, tested successfully, created a share, gave the gmsa access to the share, and edited the redirection.config file have a configurationRedirection element with the proper attributes (enabled true, path to the UNC with FQDN, username is the gmsa including the dollar sign, and password blank).  When I set all that up, the IIS manager complains about not being able to access the configuration.  These are core servers, and the remote manager does not expose any interface for shared configuration.  I tried changing the credentials on the windows process activation service, but it really didn't like that and wouldn't start (even when given the proper user rights) - that seemed like a bad idea any way.

Has anyone got shared configuration working using group managed service accounts for authentication?

Note this is on server core, so the admin gui is not available.

Answer 1

User121216299 posted

Hi Jordanmills,

Did you get error,"Cannot Connect to the specified path, Make sure that the path and credentials are valid."

If yes then try to leave username and password fields blank.

It will work but will give you the prompt about password.

Regards

Deepak

Answer 2

User552157522 posted

deepakpanchal10

Hi Jordanmills,

Did you get error,"Cannot Connect to the specified path, Make sure that the path and credentials are valid."

If yes then try to leave username and password fields blank.

It will work but will give you the prompt about password.

Regards

Deepak

I think you're talking about using the IIS manager, which isn't an option because shared configuration isn't exposed to remote connections.  Also, if the username were blank, I don't think it would have any way to know which gMSA to use.

I just realized that I didn't say that the target here is server core, so the IIS manager is not available locally.

Answer 3

User552157522 posted

Anyone?

Answer 4

User333015934 posted

Anyone?

Yeah, me :)

But I am coming here with the very same problem as you and no solution yet.

Literally, this is the only single page on the internet, where I found someone tried to access the IIS Shared Configuration folder with a gMSA account.

So, my setup is pretty much similar, except I am on Server 2019 with desktop experience enabled. IIS is version 10, and it gets the very same error. I dug in the SMB logs, in the Kerberos logs on the DCs and every other place I could come up - it says "wrong password" everywhere.

What happened with your setup back then - did you managed to succeed?

Or should I completely surrender the idea of using a MSA account as an access account for IIS shared configuration?

And please, if you spotted somewhere (like in the documentation), that Microsoft states that MSAs can't be used about this, please cite it for me, since I need to prove it can't be done if it really can't.

Answer 5

User-845264719 posted

Did anyone figure this out?

I have a similar need to have a shared IIS configuration for a cluster stored on a CIFS share. 

It would be ideal to use GMSAs to make rotating the credential an automated process. 

Answer 6

User333015934 posted

As it seems, it's a wasteland here, so I chime in with my 2 cents - I couldn't figure it out, I couldn't find help on the internet, and in the end, we made all our nodes independent.

Still, though, we apply all changes to the IIS Application Pools, Sites, and Applications through PowerShell DSC, so we keep them coordinated.

Answer 7

User690216013 posted

Still, though, we apply all changes to the IIS Application Pools, Sites, and Applications through PowerShell DSC, so we keep them coordinated.

Believe it or not, DSC is a far better approach to go (and works more than just IIS), while Shared Configuration was a feature created in a hurry (with several well known issues).