Access Management with gMSA
A Group Managed Service Account (gMSA) is a type of service account in Windows Server that is specifically designed to provide better management, security, and access control for services, tasks, and applications that run on multiple servers.
You can use gMSA for inventory data source credentials through third-party SQL-based connectors (e.g. SCCM).
Support for additional access management tools will be introduced in future releases of IT Asset Management.
To use gMSA for inventory data source credentials, follow the instructions in these sections:
- Prerequisites
- Configuring the beacon to use a gMSA
- Creating connections to third-party SQL-based inventory sources using a gMSA
Prerequisites
- Active Directory with at least one domain controller running Windows Server 2012 or later.
- PowerShell installed on a machine with administrative privileges.
- A computer account or security group for specifying authorized hosts.
Configuring the beacon to use a gMSA
- The name of a gMSA must end with a "
$
" when used in configurations. - gMSAs require the Key Distribution Service (KDS) root key to be set up in Active Directory.
- Create the KDS root key. The KDS root key is required for Active Directory to generate
and manage gMSA passwords.Note: This is a one-time setup.
- Log in to a domain controller.
- Open PowerShell as an administrator.
- Run the following command:
Get-KdsRootKey
If a value exists, skip the next step and go directly to create the security group for gMSA hosts.
- Create the KDS root key by running the following command:
Add-KdsRootKey -EffectiveImmediately
Note: It takes around 10 hours for the key to become effective.Alternatively, run the following command for older domains or immediate effectiveness:Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
Note: This command ensures the key is immediately available.
- Create the security group for gMSA hosts.Note: A security group defines which computers can use the gMSA.
- Open Active Directory Users and Computers.
- Create a security group. For example, "
gmsaservers
". - Add all computers that will use the gMSA as members of this group.
- Create the gMSA.
- Open PowerShell on a domain controller.
- Run the following command to create the gMSA, with the variables replaced with
your customized values:
- Replace <gMSAName> with the desired name for your gMSA.
For example, "
endpointgMSA
". - Replace <DomainName> with your domain name. For example,
"
endpoint.flexbeacon.com
". - Replace <GroupName> with the name of the security group
created earlier. For example, "
gmsaservers
".
New-ADServiceAccount -Name "<gMSAName>" -DNSHostName "<DomainName>" -PrincipalsAllowedToRetrieveManagedPassword "<GroupName>"
For example:New-ADServiceAccount -Name "endpointgMSA" -DNSHostName "endpoint.flexbeacon.com" -PrincipalsAllowedToRetrieveManagedPassword "gmsaservers"
- Replace <gMSAName> with the desired name for your gMSA.
For example, "
- Verify that the gMSA exists in .
- Verify gMSA details by running the following command in PowerShell, where
<gMSAName> is the name you assigned to the
gMSA:
Get-ADServiceAccount -Identity <gMSAName>
- Install the gMSA on the target server.Tip: If you encounter issues while trying to install the gMSA, check Troubleshooting: Installing the gMSA.
- Log in to the Windows Server instance with administrative credentials.
- Ensure the computer is joined to the domain to access the gMSA. If the computer is not joined to the domain, see Joining the computer to the domain.
- Ensure the domain controller name can be resolved from the current server. If the domain is not resolved by the existing DNS servers, see Updating the DNS server settings.
- Add the target device to the security group used by the gMSA.
- Go to the domain controller and open Active Directory Users and Groups.
- Select the group created earlier (e.g., "
gmsaservers
"), and add the newly created server to the group. - Restart the target device and run the
gpupdate
command (Group Policy) on the target device.
- Install the gMSA on the target device by running PowerShell with elevated
permissions and executing the following command, where
<gMSAName> is the name used when the gMSA was enabled in the
domain
controller:
Install-ADServiceAccount -Identity "<gMSAName>"
- Verify the installation by running the following
command:
Test-ADServiceAccount -Identity "<gMSAName>"
If the installation is successful, the command will return True.
- Add the gMSA as Admin on the local machine.
- Go to Add. , and click
- Select the gMSA name (e.g., "
endpointgMSA$
") and click OK.
- Configure gMSA in the beacon.Tip: If you encounter issues while trying to configure gMSA in the beacon, check Troubleshooting: Configuring gMSA in the beacon.
- Add the gMSA to the Local Users Admin group to avoid errors when accessing the temp folder or registries.
- Install the FlexNet Beacon application.
- Configure the FlexNet Beacon Engine Service to use gMSA.
- Open Services (services.msc).
- Find the FlexNet Beacon Engine Service, right-click it and select Properties.
- Go to the Log On tab and select This Account.
- Click From this location and select Entire Directory.
- Search for the gMSA name and add the gMSA. The gMSA will be added with a "$"
at the end; for example, "
endpointgMSA$
". - Leave the password fields blank, as the password is managed by the gMSA.
- Apply and save the changes.
- Restart the service.
Creating a connection to third-party SQL-based inventory source using the gMSA
- Create a new inventory system and configure it to use the gMSA in Beacon.
- Run the FlexNet Beacon application.
- Go to Inventory systems and click Add.
- In the Edit SQL Source Connection window, input connection
details such as Connection Name, Source
Type (e.g.
SCCM
), and Server. - Select Windows Authentication. When this option is selected, the gMSA will be used as it is configured for Beacon Engine.
- Select the database name and click Save.
- Set SQL Server Service to use gMSA.
- Open SQL Server Configuration Manager.
- Locate the SQL Server service you want to configure. For example, "
SQL Server (MSSQLSERVER)
". - Right-click the service, select Properties, and go to the Log On tab.
- Select This account, input the gMSA name (e.g.,
"
epgmsatest$
"), leave the password fields empty, and click OK. - Restart the SQL Server service.
- Open SQL Server Management Studio (SSMS).
- Connect to the SQL Server instance.
- Run the following SQL commands to grant the required permissions to the gMSA.
Replace the variables with your customized values and adjust permissions based on your
requirements.
--Create a login for the gMSA CREATE LOGIN [YourDomain\YourGMSAName$] FROM WINDOWS; --Grant necessary server-level permissions ALTER SERVER ROLE sysadmin ADD MEMBER [YourDomain\YourGMSAName$];
Additional tasks
The following sections provide information on some additional tasks that you might need to perform.
Configuring a domain controller on Windows Server
- Prepare the server.
- Install a supported version of Windows Server.
- Go to Network and Sharing Center, set a static IP address for the server, and input DNS server details.
- (Optional) Rename the server to a meaningful name (e.g. "EndpointDC") for easier identification in the domain. The server name can be changed in . Restart the server after renaming.
- Install the latest updates and patches to the server to ensure security and stability.
- Install the Active Directory Domain Services role.
- Run Server Manager, click Add Roles and Features.
- Choose either role-based or feature-based installation.
- Select the server from the list.
- Add the Active Directory Domain Services (AD DS) role.
- Add the required features when prompted.
- Restart the server if prompted.
- Promote the server to a domain controller.
- In Server Manager, click the triangle alert icon and select Promote this server to a domain controller.
- Select one of the following options for deployment configuration:
- Add a new forest: Choose this option if this is the first domain controller in the network.
- Add a domain controller to an existing domain: Choose this option if the domain already exists.
- Configure the domain:
- If you have selected Add a new forest, specify a root domain name. For example, "gmsatest.endpoint.com".
- If you have selected Add a domain controller to an existing domain, input the credentials of an existing domain controller.
- Set the Forest functional level and Domain functional level to the highest level supported by all servers in the network.
- Set a Directory Services Restore Mode (DSRM) password. This is used for recovery purposes.
- Leave the DNS configuration option as default. The installation wizard will configure DNS automatically.
- Review the summary, and click Install. The server will restart after the installation is complete.
- Verify the domain controller.
- In Server Manager, go to , and ensure the domain is functional.
- Use the
nslookup
command to verify DNS resolution. For example,nslookup epdc.gmsatest.endpoint.com
- If there are multiple domain controllers, run the following command to verify
replication is working.
repadmin /replsummary
Joining the computer to the domain
Perform the following steps to join the computer to the domain:
- Go to Change Settings. , and click
- In the Member of section, select Domain instead of Workgroup, and then input the domain details and domain admin credentials.
- Restart the system.
Updating the DNS server settings
If the domain controller name is not resolved by the existing DNS servers, perform the following steps to update the DNS server settings:
- Go to Adapter Settings. , and then click
- Right-click Ethernet and select .
- Select TCP/IPv4Properties and click Properties.
- Update the DNS server address:
- Set one DNS server to the domain controller IP.
- Set the other DNS server to the current DNS server address used by the machine.Tip: To find the current DNS servers, open the command prompt and run the following command:
ipconfig /all
- Click OK to save the changes.
Troubleshooting: Installing the gMSA
The following table lists the common errors you might encounter when installing the gMSA.
Error Message | Resolution |
---|---|
|
The cmdlet is part of the Active Directory module for Windows PowerShell. Ensure that the module is installed on your system. To check if the module is available, run the following command:
If the module is not listed, install the Remote Server Administration Tools (RSAT)
for your version of Windows:
If the module is installed but not imported, import it manually using the following
command:
|
|
The error occurs when the computer or user doesn't have permission to access
gMSA-related settings. Perform the following steps:
|
Troubleshooting: Configuring gMSA in the beacon
The following table lists the common errors you might encounter when configuring gMSA in the beacon.
Issue | Resolution |
---|---|
Unauthorized access exception
error.
|
Ensure the gMSA has Admin permissions on the server where the beacon is running. |
Login failed
error.
|
Use Windows Authentication as gMSAs are meant for integrated security. A gMSA is designed to be used primarily with Windows Authentication (integrated security) for services that require access to resources such as SQL Server or other network services. The main purpose of a gMSA is to provide a managed, automatic service account for such services, using Kerberos authentication to secure the communication. Therefore, using Selected User violates the purpose of gMSA. |
Network-related or instance-specific error. For
example,
|
Ensure that your firewall allows the required network connections where the SCCM is installed. |
IT Asset Management (Cloud)
Current