Group Managed Service Accounts
Group managed service accounts (gMSAs) are Active Directory (AD) accounts where the operating system automatically generates and rotates passwords without user action. UWM web applications and services can use gMSAs to communicate with SQL Server databases to avoid manual intervention when account passwords require an expiration date.
Working with gMSAs
Creation of gMSAs requires Domain Admin credentials. Refer to online Microsoft documentation for detailed information on gMSA creation.
Create a gMSA
If it doesn't already exist, create a key distribution service root key on the domain.
-
Using an elevated PowerShell prompt, enter:
-
Get-KdsRootKey
-
If no keys are defined, add one with:
Add-KdsRootKey
AD requires a ten-hour delay between creation of the KDS Root Key and creation of gMSAs.
-
-
Create an AD security group to contain the servers allowed to use the gMSA.
-
Add the servers that will use the gMSA to the AD security group.
-
Create the gMSA using the New-ADServiceAccount cmdlet. For example:
New-ADServiceAccount UWMgMSA
-DNSHostName UWM.ivanti.com
-PrincipalsAllowedToRetrieveManagedPassword UWMServers
-KerberosEncryptionType RC4, AES128, AES256
-ServicePrincipalNames http/UWM.ivanti.com/ivanti.com
The application does not use the DNSHostName and ServicePrincipalNames parameters.
- Reboot the server to pick up the membership of the security group in steps 2 and 3.
The UWM software silently fails if you don't reboot the server.
Sign in to the gMSA
The SCP runs web applications and services under the gMSA. From the SCP, choose gMSA from the available Authentication types for the Service Account. Refer to Databases for more information.
By default, for any service set to run under LocalSystem, the gMSA is added to the local administrator's group for the server.
Using cross-domain gMSAs
Servers can use gMSAs defined in a separate domain in the same forest or with appropriate trust relationships. In this case, use the AD security group to define the principals allowed to retrieve the passwords. The principals should be domain local and can contain the server(s) running the Management Server or Personalization Server. SCP verifies the gMSA exists, and it verifies the server's permission to use the gMSA.