How to create & use Managed service account with IIS pool & Windows service:

Before we start , let's understand :
What is MSA? : Well, MSA (Managed service account) is a service account which Active directory manages by itself , yes we don’t have to worry about remembering password , resetting password  & most important updating the password wherever it is being use (e.g. Windows service / IIS App Pool) - By Default Active directory resets MSA password every 30 days. (this can be change)

In this post you will learn :

• Creating Managed Service account (MSA) 

• Assigning MSA to computer

• Installing managed service account

• Configuring Managed Service account with IIS App Pool

• Configuring Managed  Service account with windows Service

Creating Managed Service Account:

Login to domain controller & Start PowerShell

Now Add KDS RootKey by using below cmdlet - this is one time activity, you can create multiple MSAs once created KDS root key.

Add-KdsRootKey -Verbose

After running above cmdlet you have to wait for 10 hours before that AD will not allow you to create MSA - But if you are in test environment or in Hurry then you can run below cmdlet:

Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10)) -Verbose

Now let's create MSA:

In below cmdlet MSA1 is a service account name & msa1.geektoodeep.local is a DNS hostname

New-ADServiceAccount -Name MSA1 -DNSHostName MSA1.geektoodeep.local

Assigning Managed Service Account to computer:

Here we can control which computers will have access to install & use MSA

Here I want to use MSA1 account authenticate services installed on Server named StorageServer; hence I will use below cmdlet to assign MSA1 to StoragerServer

Set-ADServiceAccount MSA1 -PrincipalsAllowedToRetrieveManagedPassword StorageServer$

TIP: don’t forget to add $ sign after computername.

I have assign access to storageserver to install & use MSA1 account

Installing MSA :

For installing MSA , first we need to install Active Directory PowerShell module:

I have logged in to Storage Server

To install active directory module run below cmdlet:

Add-WindowsFeature -Name RSAT-AD-PowerShell

You may be thinking of importing PowerShell module instead of installing - but when I tried I got below error:

Cannot install service account. Error Message: {Access Denied}

A process has requested access to an object, but has not been granted those access rights

So i will recommend to install Active Directory PowerShell module using below cmdlet:

Install-ADServiceAccount -Identity MSA1

Done, Now service account is ready to use.

Configuring Managed Service account with IIS App Pool

To configure service account with IIS App Pool :

Go to IIS Manager > Application Pools>

Right click desired App Pool > Select Advance Settings:

Click on identity > choose custom account > click on Set..

In username field: type domainname\Msa name$

Leave password Blank & click on OK

Tip: $ sign is must after MSA account name

Click OK > OK >

It's done ; if you want to verify you can use Process Explorer tool

As per above screenshot AppPool is now running with MSA1

Configuring MSA with windows Service

Go to Services.msc

Select service > right click properties > log on Tab

Type domain name\Serviceaccount MSA name with $sign

In this case it will be geektoodeep\msa1$

Leave password blank

OK
Done, Here we have successfully configured Service account with IIS App Pool & Windows Service

Troubleshooting tips:

Most of the service does not required Administrative rights to start the service, but some may require - if the service required administrative /privilege rights then add MSA account to the appropriate group such as administrators.

Following cmdlet adds MSA1 account to domain admins group - for demonstration purpose only

Add-ADGroupMember -Identity 'domain admins' -Members 'CN=MSA1,CN=Managed Service Accounts,DC=GeekTooDeep,DC=local'

That's all Geeks... Hope this helps you.