Chat now with support
Chat with Support

Safeguard Authentication Services 5.0.7 - Administration Guide

Privileged Access Suite for Unix Introducing One Identity Safeguard Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting Glossary

Group managed service accounts (gMSA)

Similarly to service accounts, you can create gMSAs with the vastool service create command, but instead of a user, Active Directory (AD) creates and rotates the passwords of gMSAs automatically.

Similarly to other services, a Unix service can use gMSAs through a keytab file that stores their login credentials.

Creating a group managed service account (gMSA)

Currently you can only create gMSAs on Windows. To create a gMSA, open a PowerShell prompt and follow the steps.

Prerequisite

You must have a KDS root key used for generating the password of the gMSA. To check if you have a KDS root key, run:

Get-KdsRootKey

To generate a new key, run:

Add-KdsRootKey -EffectiveImmediately

To create a gMSA

NOTE: To create the gMSA, you must set at least its DNS and password expiration interval, and one Service Principal Name (SPN).

  1. To create the gMSA and set its DNS and password expiration interval, run:

    New-ADServiceAccount -Name gmsaExample -DNSHostName fqdn.where.my.service.will.run.com -ManagedPasswordIntervalInDays 30
  2. To set the account that can retrieve the password of the gMSA, run:

    Set-AdServiceAccount -Identity gmsaExample -PrincipalsAllowedToRetrieveManagedPassword 'servicepc$'

    This account is generally the host where the service will run, so that Authentication Services can update its keytab if the password rotates. However, other accounts can also be specified, if needed.

  3. To set at least one SPN for the gMSA, run:

    SetSPN -S HTTP/fqdn.where.my.service.will.run.com "gmsaExample"

    NOTE: If you skip this step, Kerberos login with AES algorithms will fail.

For more information about gMSA, see Getting started with Group Managed Service Accounts in the official Microsoft Windows Server documentation.

Checking group managed service accounts (gMSA) with vastool

  • To list the gMSAs that you have rights for to query their passwords, run:

    vastool service gmsa list
  • To list all users, including users you do not have rights for, run:

    vastool service gmsa list -a
  • To query details about a specific gMSA, run:

    vastool service gmsa inspect gmsaExample

    where gmsaExample is the Common Name of the gMSA.

  • You may need to supply an alternative Active Directory (AD) account, most commonly the host, which has the rights to query details about a specific gMSA.

    Running queries with the identity of the host requires administrative privileges:

    sudo vastool -u "host/" gmsa list
    sudo vastool -u "host/" gmsa inspect gmsaExample

Using group managed service accounts (gMSA) on Unix

A service can use gMSAs through a keytab file similarly to service accounts. Authentication Services can generate and the service can use this keytab file to log in to Kerberos.

Unlike when using service accounts, as the password changes, the keytab files need to be updated to match the actual password in the Active Directory (AD).

To install a gMSA account, run:

sudo vastool service gmsa install gmsaExample

where gmsaExample is the Common Name of the gMSA account. This will create a keytab at the default location: /etc/opt/quest/vas/gmsaExample.keytab.

Alternatively, you can specify a keytab path through -k argument.

sudo vastool service gmsa install -k /my/path.keytab gmsaExample

The keytab of the account will also get stored in the .ini file under /etc/opt/quest/vas/gmsa.ktlist. This file contains the list of installed accounts on the host, each line in the following format:

[gMSA account name] = [path to the keytab]

The path can be absolute or relative to the directory of this configuration file.

If this configuration file contains the account, you can update its keytab with the following command:

sudo vastool service gmsa update

This command updates all keytabs for each installed gMSA.

NOTE: Unlike the other commands, install and update defaults to and can only work using the identity of the host.

You can also generate keytabs with other users: if you only want to generate a keytab without requiring that Authentication Services keeps the keytab up-to-date, you can do so manually with the ktgen subcommand. Example:

vastool -u MyAdminUser service gmsa ktgen -k /my/path.keytab gmsaExample

Unlike install, the ktgen subcommand creates the keytab, but does not create the entry in the ktlist config file, therefore you must keep the keytab up-to-date on password rotations manually.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating