Similarly to service accounts, you can create gMSAs with the vastool service create command, but instead of a user, Active Directory (AD) creates and rotates the passwords of gMSAs automatically.
Similarly to other services, a UNIX service can use gMSAs through a keytab file that stores their login credentials.
Currently you can only create gMSAs on Windows. To create a gMSA, open a PowerShell prompt and follow the steps.
Prerequisite
You must have a KDS root key used for generating the password of the gMSA. To check if you have a KDS root key, run:
Get-KdsRootKey
To generate a new key, run:
Add-KdsRootKey -EffectiveImmediately
To create a gMSA
NOTE: To create the gMSA, you must set at least its DNS and password expiration interval, and one Service Principal Name (SPN).
-
To create the gMSA and set its DNS and password expiration interval, run:
New-ADServiceAccount -Name gmsaExample -DNSHostName fqdn.where.my.service.will.run.com -ManagedPasswordIntervalInDays 30
-
To set the account that can retrieve the password of the gMSA, run:
Set-AdServiceAccount -Identity gmsaExample -PrincipalsAllowedToRetrieveManagedPassword 'servicepc$'
This account is generally the host where the service will run, so that Safeguard Authentication Services can update its keytab if the password rotates. However, other accounts can also be specified, if needed.
-
To set at least one SPN for the gMSA, run:
SetSPN -S HTTP/fqdn.where.my.service.will.run.com "gmsaExample"
NOTE: If you skip this step, Kerberos login with AES algorithms will fail.
For more information about gMSA, see Getting started with Group Managed Service Accounts in the official Microsoft Windows Server documentation.
A service can use gMSAs through a keytab file similarly to service accounts. Safeguard Authentication Services can generate and the service can use this keytab file to log in to Kerberos.
Unlike when using service accounts, as the password changes, the keytab files need to be updated to match the actual password in the Active Directory (AD).
To install a gMSA account, run:
sudo vastool service gmsa install gmsaExample
where gmsaExample is the Common Name of the gMSA account. This will create a keytab at the default location: /etc/opt/quest/vas/gmsaExample.keytab.
Alternatively, you can specify a keytab path through -k argument.
sudo vastool service gmsa install -k /my/path.keytab gmsaExample
The keytab of the account will also get stored in the .ini file under /etc/opt/quest/vas/gmsa.ktlist. This file contains the list of installed accounts on the host, each line in the following format:
[gMSA account name] = [path to the keytab]
The path can be absolute or relative to the directory of this configuration file.
If this configuration file contains the account, you can update its keytab with the following command:
sudo vastool service gmsa update
This command updates all keytabs for each installed gMSA.
NOTE: Unlike the other commands, install and update defaults to and can only work using the identity of the host.
You can also generate keytabs with other users: if you only want to generate a keytab without requiring that Safeguard Authentication Services keeps the keytab up-to-date, you can do so manually with the ktgen subcommand.
Example:
vastool -u MyAdminUser service gmsa ktgen -k /my/path.keytab gmsaExample
Unlike install, the ktgen subcommand creates the keytab, but does not create the entry in the ktlist config file, therefore you must keep the keytab up-to-date on password rotations manually.
Example:
sudo vastool service gmsa update --daemon
Start password update daemon in the background, which will update the passwords of all installed gMSA users when they expire.