Running Secret Server IIS Application Pool with a Service Account

This article is the instructions for granting ASP.NET permissions to a domain service account. See Using Windows Authentication article more information and details on how to use the service account for Windows Authentication.


To run the Secret Server IIS Application Pool with a Service Account, please follow these steps:

1. Create a local user or domain user
2. Open IIS (start->run->inetmgr->OK)
3. Impersonate as your service account if running Secret Server version 6.2.000011 or greater
   OR
   Change the identity of your application pool
   • For IIS 6 (Windows XP, Server 2003), locate the application pool that Secret Server is using, right click on it, click properties, click the "Identity" tab, click the "Configurable" radio button, enter the service account user name and password, click "OK"
   • For IIS 7 (Windows Vista, Windows 7, Server 2008), locate the application pool that Secret Server is using, right click on it, click "advanced settings", click the "Identity" box in the "Process Model" section, click the three dots on the right of the box, click the "Custom Account" radio button, click "Set", enter your service account name and password, and click "OK"
4. Open the command console (start->run->cmd)
5. Change the directory to your .NET framework 2.0 installation directory using the "cd" command
   (usually "C:\Windows\Microsoft.NET\Framework\v2.0.50727" or "C:\Windows\Microsoft.NET\Framework64\v2.0.50727")
6. Type in "aspnet_regiis -ga <domain name>\<user name>" and press enter. Replace the fields with the relevant values, omitting the domain name parameter for local accounts
7. Give your service account "modify" access to C:\Windows\TEMP
8. Give your service account "read & execute", "list folder contents", and "read" permissions on the file folder where Secret Server is installed (typically c:\inetpub\wwwroot\SecretServer). If you choose to not give it "write" and "modify" access, you will need another account for the installation process.
9. Grant batch logon permissions to your service account
   • For a domain user, log on to your domain controller, open the Group Policy Management Console (start->run->gpmc.msc->OK), right click on "Default Domain Policy" under your domain, click edit, expand "Computer Configuration", expand "Policies", expand "Windows Settings", expand "Security Settings", expand "Local Policies", click on "User Rights Assignment", right click on "Log on as a batch job", click "properties", check the "define these policy settings" box, add your service account, and click "OK"
   • For a local user, open the Local Security Policy Console (start->run->secpol.msc->OK), expand "Local Policies", click on "User Rights Assignment", right click on "Log on as a batch job", click "properties", check the "define these policy settings" box, add your service account, and click "OK"
10. If you now get a "Service Unavailable" after applying "Log on as a batch job" permissions, then you need to update your group policy settings (start->run->cmd, type in gpupdate /force) and restart the Windows Process Activation Service.

Article ID: 94, Created On: 6/16/2010, Modified: 2/7/2012