IIS 应用程序池不会在组托管服务帐户下启动[已关闭]

我正在尝试在同一活动目录组托管服务帐户下运行 Windows 服务和 IIS 网站

SomeServiceAccount

。

我有 2 台服务器

App

和

Web

。 我创建了一个名为

SomeGroup

的组，并使用命令添加了

App

和

Web

Add-ADGroupMember "SomeGroup" -Members (Get-ADComputer "App")

和

Add-ADGroupMember "SomeGroup" -Members (Get-ADComputer "Web")

重新启动两台机器以确保它们是该组的一部分

在域控制器上运行命令 New-ADServiceAccount -Name SomeServiceAccount -Enabled $true -DNSHostName 域控制器 -PrincipalsAllowedToRetrieveManagedPassword“SomeGroup”

去了两台机器并运行

Set-AdServiceAccount SomeServiceAccount

使用用户

App

在

SOMEDOMAIN\SomeServiceAccount$

机器上启动 Windows 服务，无需密码，并且启动正常

转到

Web

机器，将应用程序池标识分配为如上所述。 点击该网站，应用程序池就会停止。

事件日志中有错误：

Application pool SomePool has been disabled. Windows Process Activation Service (WAS) encountered a failure when it started a worker process to serve the application pool.

旁边有两个警告

Application pool SomePool has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.

和

The identity of application pool SomePool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request.  If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.

服务运行，但当我访问该网站时，网站 503 并停止应用程序池。 我已更改网站的权限以允许服务帐户访问它。

有人有什么想法吗？我真的很希望能够使用 GMSA 而不是普通的域帐户来运行它