Using gMSA as a Service Account

To configure IQService to use a Group Managed Service Account (gMSA), follow these steps:

  1. Create a gMSA account:

    1. Open PowerShell as an administrator on the domain controller.

    2. Run the following command to create a gMSA user, if not already existing:

      New-ADServiceAccount MSAuserName -DNSHostName domainFQDNName -PrincipalsAllowedToRetrieveManagedPassword "Domain Controllers","Read-only Domain Controllers"

      For example,

      New-ADServiceAccount myMSAAccount -DNSHostName Monday.weekday.lab -PrincipalsAllowedToRetrieveManagedPassword "Domain Controllers","Read-only Domain Controllers"

      This command creates the gMSA and allows the domain controllers and read only domain controllers to retrieve the password. This is only useful if the IQService is installed on a domain controller.

  2. Restart the domain controller or run klist purge -li 0x3e7 to refresh your credentials.

  3. Install the gMSA account in the Active Directory environment by running the following command:

    Install-ADServiceAccount -identity 'CN=myMSAAccount,CN=Managed Service Accounts,DC=Weekday,DC=lab'

  4. Add the User Principal Name (UPN) to the gMSA account if not already present, for example:

    myMSAAccount@weekday.lab

  5. Add the gMSA account to the members of the Domain Admins group.

  6. Configure IQService to run under the gMSA account:

    1. Open Services.msc and locate the IQService Instance.

    2. Right-click on the service and select Properties.

    3. Go to the Log On tab and provide the Account Name as myMSaAccount$.

    4. Remove any values in the Password fields.

    5. Select Apply and then OK.

    6. Restart the IQService for the changes to take effect.

  7. Grant the service account the capability to retrieve the password by running the following command:

    Set-ADServiceAccount -Identity <gMSA-SAMAccountName> -PrincipalsAllowedToRetrieveManagedPassword "<IQService-LogOn-User>"

    For example,

    Set-ADServiceAccount -Identity myMSAAccount$ -PrincipalsAllowedToRetrieveManagedPassword IQserviceuser1

    The gMSA service account can also be used as the IQService LogOn User (Windows Service LogOn User). In this case, ensure that the gMSA service account has full access to the IQService Instance folder on the registry.

    The gMSA account itself and the IQService server computer account are granted permission to retrieve the gMSA password, eliminating the need to set permissions for the IQService LogOn User.

    Note
    You cannot use this gMSA as an IQService User during IQService Settings configuration, which is required for client authentication. We would still need either Domain or Local user with a password to achieve the same purpose.

  8. Configure Active Directory in IdentityIQ:

    1. Ensure that you have added the necessary TLS certificate to the Virtual Appliance (VA) before creating the Active Directory connector.

      Important
      SailPoint recommends to add the necessary TLS certificate to the Virtual Appliance (VA) before creating the Active Directory connector to ensure a smooth configuration process.

    2. Go to the Domain Settings in the Active Directory configuration.

    3. Set the Authentication Type to strong for Strong (SASL) authentication.

    4. Provide the necessary domain details, such as Forest Name, Domain DN, Servers, and the gMSA account UPN.

    Here's an example of the configuration:

    Copy
    <entry key="domainSettings">
        <value>
            <List>
                <Map>
                    <entry key="authenticationType" value="strong"/>
                    <entry key="authorizationType" value="simple"/>
                    <entry key="user" value="myMSAAccount@weekday.lab"/>
                    <entry key="servers">
                        <value>
                            <List>
                                <String>myDC.weekday.lab</String>
                            </List>
                        </value>
                    </entry>
                </Map>
            </List>
        </value>
    </entry>