Changing the Password or Username for the App Control Service Account and IIS Identity

search cancel

Changing the Password or Username for the App Control Service Account and IIS Identity

book

Article ID: 286800

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Update the password associated with the Carbon Black Service Account in Windows Services and IIS.

Environment

App Control Server: All Supported Versions
Microsoft Windows Server: All Supported Versions

Resolution

Please Note

Single Tier environments should use the IIS Identity AppolicationPoolIdentity
- Password changes to the Service Account require no changes to the Identities in IIS.
Two Tier environments should have two separate accounts (Service Account and IIS User)
- Password changes to the Service Account require no change to the Identities in IIS
- Password changes to the IIS User will require a change to the Identities in IIS
More details in the article, Permissions Required for the App Control Service Account

Make the necessary adjustments to the Service Account (such as in Active Directory):
- Verify the new password does not contain Unsupported Special Characters.
- Verify the relevant account(s) have the correct permissions assigned.
Update the App Control Services with the changes
1. Log in to the application server hosting the Console as the Carbon Black Service Account.
2. If an Agent is installed, temporarily turn off Tamper Protection.
3. Open Services (Start > Run > services.msc > Ok)
4. Stop the services
  - Carbon Black App Control Server
  - Carbon Black App Control Reporter
5. Right click > Properties > Log On
6. Enter the updated credentials and click OK.
7. Start the services.
8. If Tamper Protection was temporarily disabled, re-enable it.
Update IIS Application Pools (AppCDownloads and DefaultAppPool) to use the relevant Identity
1. Open IIS Manager > expand the server name > select Application Pools
2. Confirm the current Identity settings for AppCDownloads and DefaultAppPool
  - If Single Tier: Verify the Identity is set to ApplicationPoolIdentity
    - If it is, no other change is needed.
    - If it is not, first follow these steps to add AppCDownloads and DefaultAppPool to SQL Server.
  - If Two Tier: Verify the Identity is set to the expected IIS User.
    - If it matches the existing Service Account, initial changes may be desired to separate the accounts.
3. Right click AppCDownloads > Advanced Settings > Process Model
4. Click the dots next to Identity
  - Single Tier: Built-in account: ApplicationPoolIdentity
  - Two Tier: Custom account > Set... > enter relevant IIS User
5. Repeat for DefaultAppPool
6. Use an administrative command prompt to issue the command:
```
iisreset
```

Additional Information

If you have an App Control Agent installed, but do not know the Global CLI Password you will need to make the changes to the Services & IIS Identity via Safe Mode.
In some instances the temporary files in the Service Account's \AppData\Local\Temp\ must be deleted, while the Server services are stopped. Example path:
```
C:\Users\SERVICEACCOUNT\AppData\Local\Temp
```
- If you have an App Control Agent installed on the server you will need to also temporarily stop & unload the Agent and before deleting the files.
If the Service Account is repeatedly automatically locked in Active Directory, follow the steps here.

Feedback

thumb_up Yes

thumb_down No