IIS Configuration
After all the installations are completed, it is useful to check some settings on IIS.
Application Pool Identity
By default it is installed as LocalSystem. Due to security requirements, this user account can be used as ApplicationPoolIdentity, service account or GMSA. The best recommended configuration is to create a GMSA account and use this account for the Application Pool.
When this account is changed the following permissions need to be reviewed.
db_owner (dbo) access to the database on SQL,
If a separate account will not be used for LDAP connections;
Password Reset,
Account unlocking
Reading for the Active Directory Attribute where the phone is registered,
Replicate Directory Changes
SQL Server Permissions
[IIS AppPool\ARKSSPR] is the name of Application Pool name in ARKSSPR.
Change Domain, GMSA$ and Database Names from script.
HTTP/S Bindings and Certificate
The address that users will access must be set on the site bindings screen. If only ARKSSPR will be published via the server, it is not mandatory to enter bindings (Host name, IP Address) information. HTTP access is supported in SSL Offloading scenarios.
The DMZ ARKSSPR Server must resolve the FQDN name in the address from which it will connect to this server.
If you want to broadcast ARKSSPR via HTTPS on this server, it is useful to check the following 2 settings.
HTTPS redirection with HSTS
Trusted SSL Certificate covering FQDN or wildcard
Last updated