IIS Configuration

After all the installations are completed, it is useful to check some settings on IIS.

Application Pool Identity

By default it is installed as LocalSystem. Due to security requirements, this user account can be used as ApplicationPoolIdentity, service account or GMSA. The best recommended configuration is to create a GMSA account and use this account for the Application Pool.

When this account is changed the following permissions need to be reviewed.

1. db_owner (dbo) access to the database on SQL,

2. If a separate account will not be used for LDAP connections;

   • Password Reset,

   • Account unlocking

   • Reading for the Active Directory Attribute where the phone is registered,

   • Replicate Directory Changes

SQL Server Permissions

[IIS AppPool\ARKSSPR] is the name of Application Pool name in ARKSSPR.

--Change db_owner for ApplicationPoolIdentity
USE [master]
GO
CREATE LOGIN [IIS AppPool\ARKSSPR] FROM WINDOWS WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english]
GO
USE [ARKSSPR]
GO
ALTER AUTHORIZATION ON SCHEMA::[db_owner] TO [IIS AppPool\ARKSSPR]
GO

Change Domain, GMSA$ and Database Names from script.

--Change db_owner for GMSA Account
USE [master]
GO
CREATE LOGIN [DOMAIN\GMSA$] FROM WINDOWS WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english]
GO
USE [ARKSSPR]
GO
ALTER AUTHORIZATION ON SCHEMA::[db_owner] TO [DOMAIN\GMSA$]
GO

HTTP/S Bindings and Certificate

The address that users will access must be set on the site bindings screen. If only ARKSSPR will be published via the server, it is not mandatory to enter bindings (Host name, IP Address) information. HTTP access is supported in SSL Offloading scenarios.

The DMZ ARKSSPR Server must resolve the FQDN name in the address from which it will connect to this server.

If you want to broadcast ARKSSPR via HTTPS on this server, it is useful to check the following 2 settings.

1. HTTPS redirection with HSTS

2. Trusted SSL Certificate covering FQDN or wildcard