Access Management with gMSA

IT Asset Management (Cloud)

A Group Managed Service Account (gMSA) is a type of service account in Windows Server that is specifically designed to provide better management, security, and access control for services, tasks, and applications that run on multiple servers.

You can use gMSA for inventory data source credentials through third-party SQL-based connectors (e.g. SCCM).

Support for additional access management tools will be introduced in future releases of IT Asset Management.

To use gMSA for inventory data source credentials, follow the instructions in these sections:

  1. Prerequisites
  2. Configuring the beacon to use a gMSA
  3. Creating connections to third-party SQL-based inventory sources using a gMSA

Prerequisites

  • Active Directory with at least one domain controller running Windows Server 2012 or later.
  • PowerShell installed on a machine with administrative privileges.
  • A computer account or security group for specifying authorized hosts.
Note: It is assumed that you have already set up a domain controller. If you have not done that yet, see Configuring a domain controller on Windows Server for instructions.

Configuring the beacon to use a gMSA

Note:
  • The name of a gMSA must end with a "$" when used in configurations.
  • gMSAs require the Key Distribution Service (KDS) root key to be set up in Active Directory.
  1. Create the KDS root key. The KDS root key is required for Active Directory to generate and manage gMSA passwords.
    Note: This is a one-time setup.
    1. Log in to a domain controller.
    2. Open PowerShell as an administrator.
    3. Run the following command:
      Get-KdsRootKey

      If a value exists, skip the next step and go directly to create the security group for gMSA hosts.

    4. Create the KDS root key by running the following command:
      Add-KdsRootKey -EffectiveImmediately
      Note: It takes around 10 hours for the key to become effective.
      Alternatively, run the following command for older domains or immediate effectiveness:
      Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
      Note: This command ensures the key is immediately available.
  2. Create the security group for gMSA hosts.
    Note: A security group defines which computers can use the gMSA.
    1. Open Active Directory Users and Computers.
    2. Create a security group. For example, "gmsaservers".
    3. Add all computers that will use the gMSA as members of this group.
  3. Create the gMSA.
    1. Open PowerShell on a domain controller.
    2. Run the following command to create the gMSA, with the variables replaced with your customized values:
      • Replace <gMSAName> with the desired name for your gMSA. For example, "endpointgMSA".
      • Replace <DomainName> with your domain name. For example, "endpoint.flexbeacon.com".
      • Replace <GroupName> with the name of the security group created earlier. For example, "gmsaservers".
      New-ADServiceAccount -Name "<gMSAName>" -DNSHostName "<DomainName>" -PrincipalsAllowedToRetrieveManagedPassword "<GroupName>"
      For example:
      New-ADServiceAccount -Name "endpointgMSA" -DNSHostName "endpoint.flexbeacon.com" -PrincipalsAllowedToRetrieveManagedPassword "gmsaservers"
    3. Verify that the gMSA exists in Active Directory Users and Computers > Managed Service Accounts.
    4. Verify gMSA details by running the following command in PowerShell, where <gMSAName> is the name you assigned to the gMSA:
      Get-ADServiceAccount -Identity <gMSAName>
  4. Install the gMSA on the target server.
    Tip: If you encounter issues while trying to install the gMSA, check Troubleshooting: Installing the gMSA.
    1. Log in to the Windows Server instance with administrative credentials.
    2. Ensure the computer is joined to the domain to access the gMSA. If the computer is not joined to the domain, see Joining the computer to the domain.
    3. Ensure the domain controller name can be resolved from the current server. If the domain is not resolved by the existing DNS servers, see Updating the DNS server settings.
    4. Add the target device to the security group used by the gMSA.
      1. Go to the domain controller and open Active Directory Users and Groups.
      2. Select the group created earlier (e.g., "gmsaservers"), and add the newly created server to the group.
      3. Restart the target device and run the gpupdate command (Group Policy) on the target device.
    5. Install the gMSA on the target device by running PowerShell with elevated permissions and executing the following command, where <gMSAName> is the name used when the gMSA was enabled in the domain controller:
      Install-ADServiceAccount -Identity "<gMSAName>"
    6. Verify the installation by running the following command:
      Test-ADServiceAccount -Identity "<gMSAName>"

      If the installation is successful, the command will return True.

    7. Add the gMSA as Admin on the local machine.
      1. Go to Local Users and Groups > Groups > Administrators > Members, and click Add.
      2. Select the gMSA name (e.g., "endpointgMSA$") and click OK.
  5. Configure gMSA in the beacon.
    Tip: If you encounter issues while trying to configure gMSA in the beacon, check Troubleshooting: Configuring gMSA in the beacon.
    1. Add the gMSA to the Local Users Admin group to avoid errors when accessing the temp folder or registries.
    2. Install the FlexNet Beacon application.
    3. Configure the FlexNet Beacon Engine Service to use gMSA.
      1. Open Services (services.msc).
      2. Find the FlexNet Beacon Engine Service, right-click it and select Properties.
      3. Go to the Log On tab and select This Account.
      4. Click From this location and select Entire Directory.
      5. Search for the gMSA name and add the gMSA. The gMSA will be added with a "$" at the end; for example, "endpointgMSA$".
      6. Leave the password fields blank, as the password is managed by the gMSA.
      7. Apply and save the changes.
      8. Restart the service.

Creating a connection to third-party SQL-based inventory source using the gMSA

  1. Create a new inventory system and configure it to use the gMSA in Beacon.
    1. Run the FlexNet Beacon application.
    2. Go to Inventory systems and click Add.
    3. In the Edit SQL Source Connection window, input connection details such as Connection Name, Source Type (e.g. SCCM), and Server.
    4. Select Windows Authentication. When this option is selected, the gMSA will be used as it is configured for Beacon Engine.
    5. Select the database name and click Save.
  2. Set SQL Server Service to use gMSA.
    1. Open SQL Server Configuration Manager.
    2. Locate the SQL Server service you want to configure. For example, "SQL Server (MSSQLSERVER)".
    3. Right-click the service, select Properties, and go to the Log On tab.
    4. Select This account, input the gMSA name (e.g., "epgmsatest$"), leave the password fields empty, and click OK.
    5. Restart the SQL Server service.
    6. Open SQL Server Management Studio (SSMS).
    7. Connect to the SQL Server instance.
    8. Run the following SQL commands to grant the required permissions to the gMSA. Replace the variables with your customized values and adjust permissions based on your requirements.
      --Create a login for the gMSA
      CREATE LOGIN [YourDomain\YourGMSAName$] FROM WINDOWS;
      --Grant necessary server-level permissions
      ALTER SERVER ROLE sysadmin ADD MEMBER [YourDomain\YourGMSAName$];

Additional tasks

The following sections provide information on some additional tasks that you might need to perform.

Configuring a domain controller on Windows Server

Perform the following steps to configure a domain controller on Windows Server:
  1. Prepare the server.
    1. Install a supported version of Windows Server.
    2. Go to Network and Sharing Center, set a static IP address for the server, and input DNS server details.
    3. (Optional) Rename the server to a meaningful name (e.g. "EndpointDC") for easier identification in the domain. The server name can be changed in Control Panel > System and Security > System. Restart the server after renaming.
    4. Install the latest updates and patches to the server to ensure security and stability.
  2. Install the Active Directory Domain Services role.
    1. Run Server Manager, click Add Roles and Features.
    2. Choose either role-based or feature-based installation.
    3. Select the server from the list.
    4. Add the Active Directory Domain Services (AD DS) role.
    5. Add the required features when prompted.
    6. Restart the server if prompted.
  3. Promote the server to a domain controller.
    1. In Server Manager, click the triangle alert icon and select Promote this server to a domain controller.
    2. Select one of the following options for deployment configuration:
      • Add a new forest: Choose this option if this is the first domain controller in the network.
      • Add a domain controller to an existing domain: Choose this option if the domain already exists.
    3. Configure the domain:
      • If you have selected Add a new forest, specify a root domain name. For example, "gmsatest.endpoint.com".
      • If you have selected Add a domain controller to an existing domain, input the credentials of an existing domain controller.
    4. Set the Forest functional level and Domain functional level to the highest level supported by all servers in the network.
    5. Set a Directory Services Restore Mode (DSRM) password. This is used for recovery purposes.
    6. Leave the DNS configuration option as default. The installation wizard will configure DNS automatically.
    7. Review the summary, and click Install. The server will restart after the installation is complete.
  4. Verify the domain controller.
    1. In Server Manager, go to Manage > Active Directory Users and Computers (ADUC), and ensure the domain is functional.
    2. Use the nslookup command to verify DNS resolution. For example,
      nslookup epdc.gmsatest.endpoint.com
    3. If there are multiple domain controllers, run the following command to verify replication is working.
      repadmin /replsummary

Joining the computer to the domain

Perform the following steps to join the computer to the domain:

  1. Go to Control Panel > System and Security > System, and click Change Settings.
  2. In the Member of section, select Domain instead of Workgroup, and then input the domain details and domain admin credentials.
  3. Restart the system.

Updating the DNS server settings

If the domain controller name is not resolved by the existing DNS servers, perform the following steps to update the DNS server settings:

  1. Go to Control Panel > Network and Internet > Network and Sharing Center, and then click Adapter Settings.
  2. Right-click Ethernet and select Properties.
  3. Select TCP/IPv4Properties and click Properties.
  4. Update the DNS server address:
    • Set one DNS server to the domain controller IP.
    • Set the other DNS server to the current DNS server address used by the machine.
      Tip: To find the current DNS servers, open the command prompt and run the following command:
      ipconfig /all
    • Click OK to save the changes.

Troubleshooting: Installing the gMSA

The following table lists the common errors you might encounter when installing the gMSA.

Error Message Resolution
Install-ADServiceAccount : The term 'Install-ADServiceAccount' 
is not recognized as the name of a cmdlet, function, script file, 
or operable program. Check the spelling of the name, or if a 
path was included, verify that the path is correct and try again.

The cmdlet is part of the Active Directory module for Windows PowerShell. Ensure that the module is installed on your system.

To check if the module is available, run the following command:

Get-Module -ListAvailable -Name ActiveDirectory
If the module is not listed, install the Remote Server Administration Tools (RSAT) for your version of Windows:
  • For Windows 10 or 11, run the following command:
    Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
  • For Windows Server: run the following command:
    Install-WindowsFeature RSAT-AD-PowerShell
If the module is installed but not imported, import it manually using the following command:
Import-Module ActiveDirectory
Install-ADServiceAccount : Cannot install service account. 
Error Message: '{Access Denied}
A process has requested access to an object, but has not 
been granted those access rights.'.
The error occurs when the computer or user doesn't have permission to access gMSA-related settings. Perform the following steps:
  1. Ensure that you are logged in with Admin privileges and that the computer is added to the security group specified in the PrincipalsAllowedToRetrieveManagedPassword property of the gMSA.
  2. If the computer is not added to the security group, add it, restart the computer where you are installing the gMSA (not the domain controller), and update the policy using the gpupdate command.
  3. If the issue persists, check the gMSA permissions using the following command, where <gMSAName> is the name of your gMSA:
    Get-ADServiceAccount -Identity "<gMSAName>" -Properties PrincipalsAllowedToRetrieveManagedPassword
  4. If the computer is in the security group listed in the PrincipalsAllowedToRetrieveManagedPassword property, try synchronizing all domain controllers using the following command:
    Repadmin /syncall /e /d /A /P

Troubleshooting: Configuring gMSA in the beacon

The following table lists the common errors you might encounter when configuring gMSA in the beacon.

Issue Resolution
Unauthorized access exception error.
System.UnauthorizedAccessException: 
Access to the registry key 
'HKEY_LOCAL_MACHINE\SOFTWARE\ManageSoft Corp\ManageSoft\Beacon\CurrentVersion' is denied.
Ensure the gMSA has Admin permissions on the server where the beacon is running.
Login failed error.
The login is from an untrusted domain and cannot be used with Integrated authentication.

Use Windows Authentication as gMSAs are meant for integrated security.

A gMSA is designed to be used primarily with Windows Authentication (integrated security) for services that require access to resources such as SQL Server or other network services. The main purpose of a gMSA is to provide a managed, automatic service account for such services, using Kerberos authentication to secure the communication. Therefore, using Selected User violates the purpose of gMSA.

Network-related or instance-specific error.
For example,
Test connection failed. An error occurred when testing the inventory connection 'Test'.
A network-related or instance-specific error occured while establishing a connection to SQL Server. 
The server was not found or was not accessible.
Ensure that your firewall allows the required network connections where the SCCM is installed.

IT Asset Management (Cloud)

Current