The group Managed Service Account (gMSA) provides the same functionality within the domain but also extends that functionality over multiple servers. When connecting to a service hosted on a server farm, such as Network Load Balanced solution, the authentication protocols supporting mutual authentication require that all instances of the services use the same principal. When a gMSA is used as service principals, the Windows operating system manages the password for the account instead of relying on the administrator to manage the password.
gMSA's can be used for several purposes. These include all the following:
- They can be used on multiple hosts
- They can be used for scheduled tasks
- They can be used for IIS application pools, SQL Server and other applications
- They enable automatic password management across multiple computer via Kerberos Key Distribution Service
Below we demonstrate how to create a gMSA and how to test it.
First we need to add a Kerberos Key Distribution root key in our domain. To do this open PowerShell and run the following PowerShell command as administrator.
**This method can take up to 10 hours to replicate across multiple domain controllers in multiple sites**
To bypass this 10 hour timeframe use the below code.
Now we need to create the service account with the below line of code. We will allow all computers in the "Domain Computers" group to access the password for this account.
Add the service account to a computer on the domain.
Now we will install the service account on the local computer.
now test to make sure the account is working properly.
To test the account, we will create a test service on the local computer and assign the group managed service account to it to test.
You can test to see if the service is running by looking at the services on the local computer.
Now we need to assign the account from active directory to our test service. Right click the server and select properties.
Now go to the Log On tab and click browse to search the directory for the testgMSA account that we created above.
Clear the password fields and hit the apply button.
Finally, right click the service and start it. Because we created a test service this will not start, but this does work on a normal service.
If you need assistance managing your servers, give us a call today!