Running Secret Server IIS Application Pool with a Service Account

To run the Secret Server IIS Application Pool with a Service Account:

  • Create a local user or domain user
  • Open IIS

Change the identity of your application pool In IIS

  • Locate the application pool that Secret Server is using
  • Right click on it
  • Click “advanced settings”
  • Click the “Identity” box in the “Process Model” section
  • Click the three dots on the right of the box
  • Click the “Custom Account” radio button
  • Click “Set”
  • Enter your service account name and password
  • Click “OK”

Open the command console

  • Change the directory to your .NET framework installation directory using the "cd" command
    (i.e.: “”C:\Windows\Microsoft.NET\Framework\v4.0.30319” or “C:\Windows\Microsoft.NET\Framework64\v4.0.30319)
  • Type in ".\aspnet_regiis -ga <domain name>\<user name>"
  • Press enter
  • Replace the fields with the relevant values, omitting the domain name parameter for local accounts
  • Give your service account “modify” access to C:\Windows\TEMP
  • Give your service account “read & execute”, “list folder contents”, and “read” permissions on the file folder where Secret Server is installed (typically c:\inetpub\wwwroot\SecretServer). If you choose to not give it “write” and “modify” access, you will need another account for the installation process.

Grant batch logon permissions to your service account with one of the following:

  • For a local policy, open the Local Security Policy Console, expand “Local Policies”, click on “User Rights Assignment”, right click on “Log on as a batch job“, click “properties”, click “Add User or Group”, and add your service account, then click “OK”. You can also do this as a domain user if you do not want to add these rights to the Default Domain Policy as described in the next bullet point.
  • For a domain wide policy, log on to your domain controller, open the Group Policy Management Console, right click on “Default Domain Policy” under your domain – or create a new policy-, click edit, expand “Computer Configuration”, expand “Policies”, expand “Windows Settings”, expand “Security Settings”, expand “Local Policies”, click on “User Rights Assignment”, right click on “Log on as a batch job“, click “properties”, check the “define these policy settings” box, add your service account, and click “OK”

NOTE: If you utilise Group Policy to enforce the “Log on as a batch job” and have group managed service accounts, this will overwrite any local permissions to the “Log on as a batch job” on all computers that have the policy applied. Utilising the local security policy is a safer option if you are not sure about your usage across your domain.

  • Grant “Impersonate a client after authentication” permission to the service account under “User Rights Assignment” the same way “Log on as a batch job” was assigned above.
  • If you now get a “Service Unavailable” after applying “Log on as a batch job” permissions, then you need to update your group policy settings (Open the Command console, type in gpupdate /force) and restart the Windows Process Activation Service.

For more information and general guidance on our products & services, please contact us.

Require further support?

Search all Knowledgebase articles

Send a Support Request to The Idency Support Team

In good company: some of Idency's clients