Introduction to GMSA (Group Managed Service Accounts) [MiniTool Wiki]
Definition of GMSA
What is GMSA? It is the abbreviation of Group Managed Service Accounts. The standalone managed service account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate management to other administrators. Then, you can continue to read this post from MiniTool.
Windows Server 2008 R2 and Windows 7 have this type of managed service account. The GMSA provides the same functionality in the domain, but also extends the functionality to multiple servers. When GMSA is used as the service principal, the Windows operating system will manage the password of the account instead of relying on the administrator to manage the password.
Application of GMSA
Just now, you have known the definition of Group Managed Service Accounts. Now, let’s see the application of it.
GMSA provides a single identity solution for services running on systems behind server farms or network load balancers. By providing GMSA solutions, services can be configured for new GMSA subjects, and password management is handled by Windows.
With GMSA, the service or service administrator does not need to manage password synchronization between service instances. GMSA supports hosts that remain offline for a long time, as well as member host management that serves all instances. Failover clustering does not support GMSA. However, services running on top of the cluster service can use GMSA or SMSA.
How to Create GMSA
Then, you may wonder how to create GMSA. Before you start to create it, here are some prerequisites for you.
- An Active Directory domain with at least one domain controller running Windows Server 2012 or higher. There are no forest or domain functional level requirements for using gMSA, but gMSA passwords can only be distributed by domain controllers running Windows Server 2012 or later.
- Permission to create a gMSA account. To create a gMSA account, you need to be a domain administrator or use an account that has been delegated the "Create MSDS-GroupManagedServiceAccount Object" permission.
- Visit the Internet to download the CredentialSpec PowerShell module. If you are working in a disconnected environment, you can save the module on a computer with Internet access and copy it to the development computer or container host.
Now, let’s see how to create GMSA.
When you create a GMSA, you also create a shared identity that can be used simultaneously on many different machines. Access to the GMSA password is protected by the Active Directory access control list. It’s recommended to create a security group for each GMSA account and adding related container hosts to this security group to restrict access to passwords.
Finally, since the container does not automatically register any service principal names (SPN), you will need to manually create at least one host SPN for the gMSA account.
Usually, the host or HTTP SPN is registered with the same name as the gMSA account, but if the client accesses the containerized application from behind the load balancer or the DNS name is different from the gMSA name, you may need to use another service name.
After determining the name of the gMSA, run the following cmdlet in PowerShell to create the security group and gMSA.
# Replace 'WebApp01' and 'contoso.com' with your own gMSA and domain names, respectively
# To install the AD module on Windows Server, run Install-WindowsFeature RSAT-AD-PowerShell
# To install the AD module on Windows 10 version 1809 or later, run Add-WindowsCapability -Online -Name 'RSAT.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0'
# To install the AD module on older versions of Windows 10, see https://aka.ms/rsat
# Create the security group
New-ADGroup -Name "WebApp01 Authorized Hosts" -SamAccountName "WebApp01Hosts" -GroupScope DomainLocal
# Create the gMSA
New-ADServiceAccount -Name "WebApp01" -DnsHostName "WebApp01.contoso.com" -ServicePrincipalNames "host/WebApp01", "host/WebApp01.contoso.com" -PrincipalsAllowedToRetrieveManagedPassword "WebApp01Hosts"
# Add your container hosts to the security group
Add-ADGroupMember -Identity "WebApp01Hosts" -Members "ContainerHost01$", "ContainerHost02$", "ContainerHost03$"
What is GMSA? The first section tells you the specific definition. Then, you can know the application of PRAM in the second part. As for the third part, it shows you how to create GMSA.
Read here, you may have an overall understanding of GMSA (Group Managed Service Accounts). Hope the above information can be helpful for you. Here comes to the end.