Archive for the ‘IIS’ Category

Using Group Managed Service Accounts with IIS 10 on Server 2016

July 5, 2017 Leave a comment

Using NetworkService powered application pools does have the nice effect, that there is no password needed, because the pool will be running with the credential of the webserver machine account, which is a domain account, where no password management is needed.

To access resources on the network, the webserver machine account must be enabled on the network destination and everything is fine and secure using windows authentication or Kerberos

This approach is good enough, if the scenario is limited to one application per server, because the minute you need another application, which does have different requirements in terms of security, then this approach will fail.

Lets assume, there are 2 web apps on the machine, which each does have its own SQL Server DB and which should not be allowed to access the other ones data.


This scenario can only be used with custom domain accounts, if windows authentication should be used.

Only with 2 different accounts and 2 application pools, the security on each database can be limited to the one matching application pool.

But then someone has to manage this domain passwords and make sure, that they are not expiring, but still changed from time to time. A tedious task and the passwords are probably distributed across the company, hopefully in a secure way and not inside XLS or Textfiles…

Another way with Server 2016 is to use Group Managed Service accounts.

This requires, that Active Directory scheme is on level 2012 R2, only then, the feature “Group Managed Service Accounts” can be used.

Setup a Group Managed Service Account

Login to DC:

Enable gMSA globally on Domain

— for Lab environments we use the switch –EffectiveTime, so that we don’t have to wait for 10 hours, which usually should make sure, that AD sync is ready.

Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10));

This will usually be done from the Active Directory team in your environment

Open ServerManager => Tools => Active Directory Administrative Center

Add new global SecurityGroup named gMSAGroup




Go to AD Admin Center and search for the newly created group (gMSAGroup)



OR: Use Powershell and first install the Powershell AD-modules

Install-WindowsFeature -Name RSAT-AD-PowerShell

Then create the global security group using

NEW-ADGroup –name “gMSAGroup”  –path “OU=XYZ,DC=mydomain,DC=com” -GroupCategory Security -groupscope Global

Right click the gMSAGroup entry and add all the memberserver, which should be able to use the Group Service Managed Account IIS1Svc

or use Powershell:

Add-ADGroupMember "gMSAGroup” -Members "Server1$", "Server2$" 



After adding all the memberservers to the Group Managed Service Group, they must be rebooted!

Create first gMSA Account on the DC: (max 15 chars)

New-ADServiceAccount IIS1SvC -DNSHostName -PrincipalsAllowedToRetrieveManagedPassword gMSAGroup

optionally use –path to define, whe the account should be placed into the domain structure, eg:
-Path "OU=OUXy,DC=mydomain,DC=com"

Check in AD Admin Center, that the account is visible

Switch to MemberServer (HSW2K12R2Web1)

Install on MemberServers: Remote Server Administration Tools via Server Manager to get Active Directory Module for Windows Powershell

OR with Powershell: Install-WindowsFeature -Name RSAT-AD-PowerShell


Open Powershell Admin Console and

Install-ADServiceAccount IIS1Svc

If error is “access denied”, make sure, that the memberserver was added to the allow list of the group service group and the server was rebooted afterwards!



Create new AppPool in InetMgr:


Use this GroupServiceManaged Account and append “$” to the name and leave password empty

Use this Account for a web application.

When this web application will access a resource on another computer, it will then use this GMSA


More infos:

Categories: IIS, Server 2016

Using Docker on Windows 10 or Server 2016

July 2, 2017 Leave a comment

Docker support comes in two different flavors on Windows:

  • Windows Container
  • Hyper-V Container

Both flavors can use the same images, but Hyper-V Container deliver more isolation between the containers

Hyper-V Container need Hyper-V support and therefore are currently not usable in Azure, unless the coming feature of “nested virtualization” is broadly available

Both flavors differentiate in this environment requirement and in the added startup switch –isolation=hyperv, when starting an image using a cmdline like this:

docker run –d –name <myIISContainerName> –h <MyIISHostname> –p80:80 microsoft/iis –isolation=hyperv

More about the differences here:

Docker Installation

Installing Hyper-V Container on Windows 10:

Install Docker (Windows Container) on Server 2016

    Installing Container feature using ServerManager is not enough! The following Powershell scripts must be executed!

    • Install-Module -Name DockerMsftProvider -Repository PSGallery –Force
    • Install-Package -Name docker -ProviderName DockerMsftProvider
    • Restart-Computer –Force
    • SConfig ==> Option 5 to install Updates

    Install Windows Server 2016 on Azure

    Add a VM based on “Windows Server 2016 Datacenter – with Containers”

    Docker is already included and also a few base images are there

    Define terms like image and container

    The term image is used for a prepared environment, which can be started multiple times.

    Each instance on start will create a container, which runs with its own IP and completely sepearated as unique machine with its own machinename

    Note: image names must be all lowercase!

    Docker commands

    List locally availble images:

    docker images

    List public available images from Microsoft:

    Some of the images with a short description:

      Can run IIS and dotNetCore, but not Full .NET!
      Small download size of about 800 MB
      can run all kind of roles, but without GUI support
      Able to run IIS, SQL,…
      Downloadsize about 8 GB
      Based on Windows Server Core including IIS
      RUN powershell -Command Add-WindowsFeature Web-Server

      To use .NET Framework inside IIS, the following features must be added:
      RUN powershell -Command Add-WindowsFeature NET-Framework-45-ASPNET
      RUN powershell -Command Add-WindowsFeature Web-Asp-Net45
      ==> add to dockerfile, see scetion “Create new images using dockerfile”

    The following images contain full .NET Framwork, but NO IIS

    • microsoft/dotnet-framework:3.5
    • microsoft/dotnet-framework:4.6.2
    • microsoft/dotnet-framework:4.7

    Run a docker image interactive

    docker run –it <nameOfImage> <cmdToExecute>

    docker run –it microsoft/iis cmd

    Run a docker image in the background

    docker run –d –name <nameOfContainer> –h <HostName> –p<PostPort>:<ContainerPort> <nameOfImage>

    docker run –d –name MyIIS1 –h MyIIS1 –p80:80 microsoft/iis

    Run a docker image in the background using Hyper-V

    docker run –d –name <nameOfContainer> –h <HostName> –p<PostPort>:<ContainerPort> –isolation=hyperv <nameOfImage>

    All processes are listed in the hosts taskmanager with a job Task Id, which is unique for a container

    Port handling

    -p lets define a port, which will listen on the host and will be forwarded to the container

    Local firewall and Azure Network Security group rules must be adjusted!

    List local docker container with status

    docker ps –a


    Run a cmd inside a running container

    docker exec –i <NameOfContainer> <CmdName>

    docker exec –i MyIIS1 cmd

    Check IP address of running container from Powershell

    docker inspect –format ‘{{ .NetworkSettings.Networks.nat.IPAddress }}’ myIIS

    More inspect commands:

    Stop a running container

    docker stop <nameOfContainer>

    docker stop MyIIS1

    Remove stopped container

    docker rm <NameOfContainer>

    docker rm MyIIS1

    Remove local image

    docker rmi <imagename>

    docker rmi microsoft/iis

    Create a new docker image from existing container

    Make sure, that container ist stopped

    docker commit <ContainerName> <newimagename>

    Save a docker without docker repository

    docker save –o c:\temp\myimage.tar <imagename>

    Display image history

    docker history <imagename>

    Create your own Docker Registry

    Create new images using dockerfile

    New base image which includes ASP.NET 4.5 Framework and WebDeploy

    Lets define a new image, which should be based on microsoft/iis and also run .NET and should be able to allow remote installation using WebDeploy.

    The name of our new image should be webdeployimage (names must be all lowercase!)

    To include WebDeploy functionalilty, we need to download the WebDeploy-MSI from here:

    The resulting downloaded file is named WebDeploy_amd64_en-US.msi

    Lets copy this file to c:\temp\WebDeployImage

    Create a textfile named dockerfile in the same directory with content below

    A dockerfile is a list of docker commands which will be executed on every startup of the container image.

    FROM microsoft/iis

    RUN powershell -Command Add-WindowsFeature NET-Framework-45-ASPNET
    RUN powershell -Command Add-WindowsFeature Web-Asp-Net45

    ADD WebDeploy_amd64_en-US.msi /temp/

    RUN msiexec /i c:\temp\WebDeploy_amd64_en-US.msi /qn

    Note, that destinationpath fo ADD cmd uses unix style / and not \

    Now build the new image using this cmd, where the path points to the location, where the dockerfile is located

    docker build -t webdeployimage C:\temp\WebDeployImage

    after this a new image named webdeployimage should be listed using docker images

    Another new image which is based on webdeployimage and includes MyDockerampleWebApp

    Create a WebDeployPackage from any existing .NET app on your IIS using Export from Inet Manager. This will result in a zip file named in this example.

    Create a new directory c:\temp\MyDockerSampleWebApp and there create this dockerfile:

    FROM webdeployimage

    ADD /

    RUN Powershell -Command "Add-PSSnapin WDeploySnapin3.0; Restore-WDPackage -Package c:\

    Now build the new image using this cmd, where the path points to the location, where the dockerfile is located

    docker build -t mydockersamplewebappimage C:\temp\MyDockerSampleWebApp

    after this a new image named mydockersamplewebappimage should be listed using docker images

    Now run a new container using this image

    docker run –d –name sampleapp1 –h sampleapp1 –p80:80 mydockersamplewebappimage

    Access your hostmachine now using the given port (in this example 80)

    Note: You have to make sure, that the host port is available and not used from another instance or local IIS

    Add Remote Management to a Docker image based on microsoft/iis

    docker run -d –name iis1 -h iis1 -v c:/shared:c:/shared microsoft/iis
    docker exec -i iis1 powershell

    Install-WindowsFeature -name Web-Server -IncludeManagementTools
    Dism /online /enable-feature /featurename:IIS-ManagementService /all

    – Enable remote access
    New-ItemProperty -Path HKLM:\software\microsoft\WebManagement\Server -Name EnableRemoteManagement -Value 1 -Force

    net user AdminUser P@ssw0rd1 /ADD
    net localgroup administrators AdminUser /add

    net start wmsvc

    Ipconfig will return the IP of the docker container.

    Now switch back to the Docker host or any other machine in the network, which does have the IIS Management Console installed and connect to this docker image using the IP address and username/password defined above.

    Categories: Docker, IIS, Server 2016, Windows 10