Skip to content

Comments

Support Group Managed Service Accounts#768

Merged
johnsimons merged 2 commits intomasterfrom
SupportManagedServiceAccounts
Aug 12, 2016
Merged

Support Group Managed Service Accounts#768
johnsimons merged 2 commits intomasterfrom
SupportManagedServiceAccounts

Conversation

@gbiellem
Copy link
Contributor

@gbiellem gbiellem commented Aug 11, 2016

This change adds support for the use of the Group Managed Service Accounts (GMSA) when setting up the ServiceControl service through the Management Utility.

To use a GMSA enter the domain\username including the trailing dollar sign as the ServiceAccount in the management tool and leave the password field empty.

screenshot
This will only work if the service account has been setup correctly as a GMSA in Active Directory. See this blog post for a simple guide on setting up GMSA ( https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/)


Customer request:

Description: I want the Windows Service that NServiceBus.Host.exe creates
to be executed as a Group Managed Service Account. In Windows Server 2012,
you can create a special account in Active Directory called a Group Managed
Service Account (gMSA). You can use this account to host Windows Services,
IIS App Pools, Scheduled Tasks, and more. The advantage of using a gMSA is
that you don't have to know the password. In fact, no one knows the
password. When an administrator of a server creates a Windows Service
using services.msc, he (or she) can click on the login tab, type the gMSA's
UPN and leave the password blank. The server (if it is permitted to do so)
will retrieve the managed password from Active Directory. The password is
automatically changed and refreshed on a scheduled basis.

We run as many services as we can using gMSA's.

See also Particular/NServiceBus.Host#93

@johnsimons
Copy link
Member

@sfarmar did u test this with ServiceControl and it does not work ?

@seanfarmar
Copy link
Contributor Author

@johnsimons no i didn't test it, i put the issue in to verify/fix this

@gbiellem
Copy link
Contributor

gbiellem commented Aug 7, 2016

@johnsimons - it won't work, the whole idea behind GSMA is no-one knows the password.
In the SCMU and NSB host installation we require the user to provide the user name and password to setup the service.

I'll look into this as a maintainer task.

@gbiellem gbiellem self-assigned this Aug 8, 2016
@gbiellem gbiellem changed the title Support GMSA accounts [WIP] Support GMSA accounts Aug 11, 2016
@johnsimons
Copy link
Member

looks good @gbiellem

@gbiellem gbiellem changed the title [WIP] Support GMSA accounts Support GMSA accounts Aug 12, 2016
@johnsimons johnsimons merged commit f6f570f into master Aug 12, 2016
@johnsimons johnsimons deleted the SupportManagedServiceAccounts branch August 12, 2016 00:32
@gbiellem gbiellem added this to the 1.23.0 milestone Aug 12, 2016
@gbiellem gbiellem changed the title Support GMSA accounts Support Group Managed Service Accounts Sep 12, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants