These examples will allow you to rotate the credential on an IIS Application Pool running as a Service Account that has its password rotated via Keeper PAM.
The data in the record being rotated is made available to your script via a BASE64-encoded JSON string. This is passed into your script for consumption. When your script has finished execution, Clear-History is executed to ensure that the record data is not available for future PowerShell sessions.
The target server must be running Windows Server 2012 and above and have the IISAdministration
module installed and enabled.
To update the 'Log On As' property on a IIS Application Pool, you will need a credential with the appropriate permissions, such as an Administrator account.
When attaching a PAM script to a record, you have the option to add a Resource Credential that is passed to the Gateway as part of the BASE64-encoded JSON data. The above credential will need to be attached as a Resource Credential.
As many Resource Credentials can be attached to a PAM script, knowing the UID
of the Resource Credential you have attached helps ensure your script uses the correct one to update the Service's 'Log On As' property.
Using the IISServerManager
, you can update the credentials and restart the ISS App Pool by invoking the script block below.
This example uses the IIS Management utility appcmd
and expects it on PATH. The executable is located in C:\Windows\System32\inetsrv
on any IIS-enabled server.
To update the 'Log On As' property on a Windows Scheduled Task, you will need a credential with the appropriate permissions, such as an Administrator account.
When attaching a PAM script to a record, you have the option to add a Resource Credential that is passed to the Gateway as part of the BASE64-encoded JSON data. The above credential will need to be attached as a Resource Credential.
As many Resource Credentials can be attached to a PAM script, knowing the UID
of the Resource Credential you have attached helps ensure your script uses the correct one to update the Service's 'Log On As' property.
Native ISS Management RPC commands are no longer available in modern versions of Windows Server and last appeared in Windows Server 2008. However, the IIS management utility, appcmd
, coupled with Invoke-WmiMethod
can achieve the same outcome.