Using gMSA as a Service Account

Use this page to configure IQService to use a group Managed Service Account (gMSA) for Active Directory integrations.

  • Strong (SASL) authentication must be used when configuring gMSA for forest and domain settings.

  • Ensure that the PowerShell module for Active Directory is installed on the IQService machine.

  • For domain settings, the port used must be a non TLS port, as TLS is not supported during Strong (SASL) authentication.

    These requirements must be met before proceeding with any configuration steps.

To configure IQService to use a Group Managed Service Account (gMSA), follow these steps:

  1. Create a gMSA account:

    1. Open PowerShell as an administrator on the domain controller.

    2. Run the following command to create a gMSA user, if not already existing:

      New-ADServiceAccount MSAuserName -DNSHostName domainFQDNName -PrincipalsAllowedToRetrieveManagedPassword "Domain Controllers","Read-only Domain Controllers"

      For example,

      New-ADServiceAccount myMSAAccount -DNSHostName Monday.weekday.lab -PrincipalsAllowedToRetrieveManagedPassword "Domain Controllers","Read-only Domain Controllers"

      This command creates the gMSA and allows the domain controllers and read only domain controllers to retrieve the password.

    This is only useful if the IQService is installed on a domain controller.

  2. Refresh credentials:

    • Restart the domain controller or run the following command to refresh your credentials:

      klist purge -li 0x3e7.

  3. Install the gMSA account in the Active Directory environment by running the following command:

    Install-ADServiceAccount -identity 'CN=myMSAAccount,CN=Managed Service Accounts,DC=Weekday,DC=lab'

  4. Add the User Principal Name (UPN) to the gMSA account if not already present. Use the following format:

    <username>@<domainname>

    For example: myMSAAccount@IND.ASIA.LOCAL.LAB

    Where:

    • username is the name of the gMSA acccount, for example: myMSAAccount.

    • domain name is the Active Directory domain, for example: IND.ASIA.LOCAL.LAB.

Grant the service account the capability to retrieve the password by running the following command:

Set-ADServiceAccount -Identity <gMSA-SAMAccountName> -PrincipalsAllowedToRetrieveManagedPassword "<IQService$>"

For example,

Set-ADServiceAccount -Identity myMSAAccount$ -PrincipalsAllowedToRetrieveManagedPassword IQserviceuser1

The gMSA service account can also be used as the IQService LogOn User (Windows Service LogOn User).

In this case, ensure that the gMSA service account has full access to the IQService Instance folder on the registry.

The gMSA account itself and the IQService server computer account are granted permission to retrieve the gMSA password, eliminating the need to set permissions for the IQService LogOn User.

Configure IQService to run under the gMSA account:

  1. Open Services.msc and locate the IQService Instance.

  2. Right-click on the service and select Properties.

  3. Go to the Log On tab and provide the Account Name as myMSaAccount$.

  4. Remove any values in the Password fields.

  5. Select Apply and then OK.

  6. Restart the IQService for the changes to take effect.

  1. Domain Configuration:

    1. Go to the Domain Settings in the Active Directory configuration.

    2. Set the Authentication Type to strong for Strong (SASL) authentication.

    3. Provide the necessary domain details, such as:

      • Forest Name

      • Domain DN

      • Servers

      • gMSA account UPN.

    Example configuration:

Copy 
{
    "entry": {
        "value": {
            "List": {
                "Map": {
                    "entry": [
                        {
                            "key": "authorizationType",
                            "value": "strong"
                        },
                        {
                            "key": "forestName",
                            "value": "weekday.lab"
                        },
                        {
                            "key": "domainDN",
                            "value": "DC=weekday,DC=lab"
                        },
                        {
                            "key": "password"
                        },
                        {
                            "key": "port",
                            "value": "389"
                        },
                        {
                            "value": {
                                "Boolean": "true"
                            },
                            "key": "enablePasswordLessAuthenticationForDomain"
                        },
                        {
                            "value": {
                                "List": {
                                    "String": "myDC.weekday.lab"
                                }
                            },
                            "key": "servers"
                        },
                        {
                            "value": {
                                "Boolean": ""
                            },
                            "key": "useSSL"
                        },
                        {
                            "key": "user",
                            "value": "myMSAAccount@weekday.lab"
                        }
                    ]
                }
            }
        },
        "key": "domainSettings"
    }