Required IIS Modifications

[Flyslinger2]

You provide: "Modify the IIS-AppPool, to not use .NET Framework (new .NET is loaded via another mechanism) and set its identity to either a group managed service account (recommended), custom account or "NetworkService"."

Are you specifically asking for a new pool to be created?
What identity gets set to what?

[glatzert]

Essentially I don't care, which pool you are using (nevertheless, .NET might need an 'own' pool for it's process, since it won't load e.g. in-process AspNetCore Module along out-of-process AspNetCore Module - see https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/out-of-process-hosting?view=aspnetcore-9.0&preserve-view=true)

The identity I'm speaking about is the process identity of the pool, e.g. the user running the app pool.
That identity needs access to an auto-enrollment certificate template as well as write access to the designated work directory (C:\ACME-ACDS).

[Flyslinger2]

Any chance you could show me a redacted screen shot of your IIS setup for this. I'm not getting what you are saying at all.

Thanks

[glatzert]

I'm not 100% sure, what I would screenshot there for you, but have a short step by step explanation:

1. Start IIS Manager and navigate to "Application Pools"
2. Create a new one
3. Right click it to get to advanced settings
4. Set "(General) .NET CLR Version" to "no managed code"
5. Set "(Process Model) Identity" to an appropriate account - I recommend using a group Managed Service Account, but anything that's part of your domain will do.