我尝试在同一个活动目录组托管服务帐户SomeServiceAccount下运行Windows服务和IIS网站。
我有2台服务器App和Web。
我创建了一个名为SomeGroup的小组,并在命令中添加了App和Web
Add-ADGroupMember "SomeGroup" -Members (Get-ADComputer "App")和Add-ADGroupMember "SomeGroup" -Members (Get-ADComputer "Web")
重新启动两台计算机以确保它们属于该组
在域控制器上执行该命令 New-ADServiceAccount -Name SomeServiceAccount -Enabled $ true -DNSHostName domain-controller -PrincipalsAllowedToRetrieveManagedPassword" SomeGroup"
去了两台机器并运行Set-AdServiceAccount SomeServiceAccount
使用用户App启动SOMEDOMAIN\SomeServiceAccount$计算机上的Windows服务并且没有密码,启动正常
去Web机器,分配应用程序池标识如上。
点击该网站,应用程序池停止。
在事件日志中出现错误:
Application pool SomePool has been disabled. Windows Process Activation Service (WAS) encountered a failure when it started a worker process to serve the application pool.
和
旁边的两个警告 Application pool SomePool has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.
和
The identity of application pool SomePool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.
该服务运行但网站503s并在我访问该网站时停止应用程序池。 我已更改网站的权限以允许服务帐户访问它。
有人有任何想法吗?我真的希望能够使用GMSA代替普通的域帐户来运行
答案 0 :(得分:4)
确保在运行应用程序池的服务器上为“允许登录为批处理”设置的用户添加了服务帐户?
https://www.brooksnet.com/faq/granting-logon-as-batch-privilege
答案 1 :(得分:0)
用户需要上述权限,我需要将公司定义的组添加到其中。