MBAM Web Application Pool

Duchemin, Dominique 2,006 Reputation points
2021-04-29T16:55:02.44+00:00

Hello,

For the SPN I found this article:
https://learn.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/planning-how-to-secure-the-mbam-websites

Currently the Web Application Pool is running under the Identity “Network Service” is it correct?
Should I create a service account for it?

92665-2021-04-29-9-10-10-mbam-application-pool-02.png

I confirmed the LPO is correct versus the documentation.
92644-2021-04-29-9-09-26-mbam-lpo-02.png

If the above settings are correct the command would be, isn't it?
setspn -s https:/sccminternet.ad NetworkService
or
setspn -s default Web Site/Helpdesk VRPSCCMMS03$

VRPSCCMMS03 is the server hosting MBAM (the main one)

Thanks,
Dom

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,726 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,696 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Jenny Feng 14,111 Reputation points
    2021-04-30T01:52:44.693+00:00

    @Duchemin, Dominique
    Hi,
    The correct Syntax is:
    SetSPN -s http/FQDN-Webserver Domain\appPooluser

    In Addition your appoolaccount needs "Impersonate a Client after authentication" and "Log on as a batch job" rights.

    Hope above information can help you.

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments No comments

  2. Duchemin, Dominique 2,006 Reputation points
    2021-04-29T23:00:28.753+00:00

    Hello ,

    Yes you are correct
    I can successfully archive the key to the internal server, I would confirm our client is looking at the external (YES) and then as mentioned check your site setup/SPNs (UNSURE!).

    VRPSCCMIBCM01 is the internal name of the IBCM server.
    SCCMInternet is the external name of the IBCM server.
    VRPSCCMMS03 is the internal name of the server hosting MBAM.
    VRPSCCMPR01 is the internal name of the Primary server for Configuration manager.
    VRPSCCMSQL01 is the internal name of the SQL Server for Configuration Manager.

    What are the SPN needed?
    The Web Application Pool as an Identity “NetworkService”, should it run with a service account instead?

    Setspn –s https/helpdesk NetworkService ?
    Setspn –s https/selfservice NetworkService?
    Setspn –s https/SCCMInternet NetworkService?
    Setspn –s https/SCCMInternet.ad NetworkService?

    Do we need more?

    This is the current SETSPN –Q */VRPSCCMIBCM01
    There is nothing for the external name SCCMInternet:

    C:\Users\rmppqx>setspn -q */vrpsccmibcm01
    Checking domain DC=ad
    CN=VRPSCCMIBCM01,OU=No Proxy,OU=App,OU=Windows,OU=MITS Servers,DC=ad
    CmRcService/VRPSCCMIBCM01.ad
    CmRcService/VRPSCCMIBCM01
    WSMAN/VRPSCCMIBCM01.ad
    WSMAN/VRPSCCMIBCM01
    TERMSRV/VRPSCCMIBCM01.ad
    TERMSRV/VRPSCCMIBCM01
    RestrictedKrbHost/VRPSCCMIBCM01
    HOST/VRPSCCMIBCM01
    RestrictedKrbHost/VRPSCCMIBCM01.ad
    HOST/VRPSCCMIBCM01.ad

    Existing SPN found!

    C:\Users\rmppqx>setspn -q */SCCMInternet
    Checking domain DC=ad

    No such SPN found.

    Any idea about the SPN to be added setspn -s ...?
    Thanks,
    Dom

    0 comments No comments

  3. Duchemin, Dominique 2,006 Reputation points
    2021-04-30T02:30:49.323+00:00

    Hello,

    Thanks,

    Where the Domain\appPooluser comes from as the identity on the Application Pool is "NetworkService"? (first screenshot of the thread)
    Do I need to change the Identity on the Application Pool?
    Will it affect other Application Pools?
    Should it be done on the 3 servers having the MBAM Application Pool:
    VRPSCCMMS03 (Hosting MBAM)
    VRPSCCMPR01
    VRPSCCMIBCM01(SCCMInternet)

    Thanks,
    Dom