Introduction
So been playing around with the newly release capability of our AD connector to use Group Managed Service Accounts (gMSA). Now, I am no AD expert and this article will evolve but this is a quick test I have done in my homelab AD setup.
NOTE: These are not official steps and I am not an AD expert. Please test in your SB environment and undertand and adjust each command per Microsoft and your own AD deployment guidelines.
Infrastructure
- AD Domain: abc.local
- Functional Level: Windows Server 2016
- Domain Controller (one): dc1.abc.local
- IQService: Running on domain controller “dc1”, Non TLS on Port 6050
Steps
- Generate a root key for it to be available immediately
1 |
Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10) |
- Create a new managed service account called GMSA_ACCOUNT. DC1 is part of the “IQService Servers” group so we allow computers in that to retrieve password. We can also just mention the server directly if not in a group as serverName$
1 |
New-ADServiceAccount GMSA_ACCOUNT -DNSHostName abc.local -PrincipalsAllowedToRetrieveManagedPassword "IQService Servers" |
This will show up the account
- Add UPN for the account as its missing at this stage by manually editing the attribute in Attribute Editor
- Run the Install-ADServiceAccount account command
1 |
Install-ADServiceAccount -identity 'CN=GMSA_ACCOUNT,CN=Managed Service Accounts,DC=abc,DC=local' |
- Run the following command to purge Kerberos tickets associated with the Local System Account
1 |
klist purge -li 0x3e7 |
- Add the account as a local Administrator to the machine running IQService so that it can start the service
- Run the Set-ADServiceAccount for it to allow to retrieve its own password
1 |
Set-ADServiceAccount -Identity GMSA_ACCOUNT$ -PrincipalsAllowedToRetrieveManagedPassword GMSA_ACCOUNT$ |
- On the IQService service goto properties -> Log On -> Change this to use the gMSA account and click on OK. You can follow my guide on how to install IQService as well from scratch if you need.
- Give the gMSA account full rights to the IQService Folder
- Give the gMSA account Account Operators right or appropriate permissions to do its tasks in AD.
- Restart IQService (or server for good measure).
- Now setup a AD source the normal way but slight changes for Domain Settings page (Using 389 SASL for gMSA)
- On the IQService page configure the non TLS port
- Give it a test connection and should be all GREEN 🙂
Additional Notes
- You can setup TLS Client Auth with IQService by just creating a local account in the IQService box with a password and adding it to configuration and to IQService via IQService.exe -a abc\gsmatesttls option
- The Set-ADServiceAccount command property -PrincipalsAllowedToRetrieveManagedPassword can be passed with multiple server names and account names. But we need to pass them as a list. Otherwise it seems to wipe the previous servers and keep the last one
1 |
Set-ADServiceAccount GMSA_ACCOUNT$ -PrincipalsAllowedToRetrieveManagedPassword SERVER_NAME1$, SERVER_NAME2$, SERVER_NAME3$, GMSA_ACCOUNT$ |
In the above, we are allowing the GMSA_ACCOUNT$ to retrieve its own password and also allowing multiple IQService servers to use same account to retrieve it (in previous example we had used a group “IQService Servers”)
Conclusion
By following these steps, you can successfully configure gMSA in AD Connector for ISC, ensuring better security and management of service accounts. Test in your environment and adjust settings as needed.