Global Webcast:

Making a Security Difference with a

group Managed Service Account
Conditions and Terms of Use
Microsoft Confidential

This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided to you under a Non-Disclosure
Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in such packages is strictly prohibited.

The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or implied, including but not limited
to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.

Training package content, including URLs and other Internet website references, is subject to change without notice. Because Microsoft must respond to changing market conditions, the
content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

Copyright and Trademarks

© 2014 Microsoft Corporation. All rights reserved.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in
written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or
introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.

For more information, see Use of Microsoft Copyrighted Content at

http://www.microsoft.com/en-us/legal/intellectualproperty/Permissions/default.aspx

Microsoft, Internet Explorer, Outlook, OneDrive, Windows Vista, Zune, Xbox 360, DirectX, Windows Server and Windows are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries. All other trademarks are property of their respective owners.
Advanced Security with a
group Managed Service
Account (gMSA)

Module Overview

Microsoft Confidential 4
Advanced security with a group
Managed Service Account
(gMSA)

Section 1: What is a gMSA (group • What you need to know about

Managed Service Account) a gMSA?
• How does is differ from
previous versions?
• General overview

Microsoft Confidential 5
What is a gMSA? (group Managed Service Account)
• A group managed service account is an account that is derived from
the computer object class.
• The gMSA provides a number of capabilities that is currently
unavailable in any other account.

Microsoft Confidential 6
Benefits
• Benefits of a gMSA
o Automatic password management without service disruption
o Password is not disclosed
o Complex and strong password
o Account cannot be used for interactive logon

Microsoft Confidential 7
gMSA vs. sMSA
• gMSA differs from sMSA (standalone Managed Service Account):
o Multiple authorized hosts can share the same gMSA allowing a server farm to
appear as the same service to clients
o Supports mutual authentication protocols running on multiple member hosts

Microsoft Confidential 8
High Level Overview of a gMSA Deployment

Activate Create Deploy

Configure
the Root the gMSA the gMSA
the
Key in the in the on a host
service
Domain domain server

Microsoft Confidential 9
Managing a gMSA
Module CmdLet Notes

KDS Add-KDSRootKey Creates the KDS Root key

Retrieves information about a gMSA in Active
ActiveDirectory
Get-ADServiceAccount Directory
ActiveDirectory Install-ADServiceAccount Adds the gMSA to the local member host

ActiveDirectory New-ADServiceAccount Creates a new gMSA object in Active Directory

ActiveDirectory Remove-ADServiceAccount Deletes a gMSA object in Active Directory

ActiveDirectory Set-ADServiceAccount Modifies a gMSA in Active Directory

Test if the gMSA is valid and usable by the member
ActiveDirectory
Test-ADServiceAccount host
ActiveDirectory Uninstall-ADServiceAccount Removes a gMSA from the local host

Microsoft Confidential 10
Overview of MSA per Operating System

Windows Server 2012 /

Feature/functionality Windows Server 2008 R2
Windows Server 2012 R2

Virtual Computer Accounts Yes Yes

Managed Service Accounts Yes Yes

Group Managed Service Accounts No Yes

Windows PowerShell cmdlets Yes Yes

Microsoft Confidential 12
Advanced Security with a group
Managed Service Account
(gMSA)

Section 2: How to create a gMSA • What the prerequisites to

create a gMSA?
• How to create a gMSA?

Microsoft Confidential 13
gMSA Deployment Requirements: Active Directory
• Active Directory Requirements:
o Windows Server 2012 Schema update in gMSA domain’s forest
o KDS root key created in the forest hosting the gMSA
o gMSA account provisioned
o Member host’s domain controllers (DCs): All currently supported Windows
Server stock-keeping units (SKUs) that can run Active Directory Domain Services
o gMSA account’s DCs: Enough Windows Server 2012 or newer DCs to support
the additional password retrieval traffic

Microsoft Confidential 14
gMSA Deployment Requirements: Hosts
• Operating system requirements for authentication to work with services
using gMSA:
o Shared service member hosts: Windows Server 2012 or Windows Server 2012 R2

Microsoft Confidential 15
Preparation and Creation of the gMSA
The initial creation is a 2 step process:
1. Create the KDS Root Key (only has to be done once per domain, one
time).
2. Create and Configure the gMSA

Remark:
Root key creation only needs to be executed one time per domain.

Microsoft Confidential 16
Demonstration: Preparation
and Creation of a gMSA
Advanced Security with a group
Managed Service Account
(gMSA)

Section 3: How to deploy a gMSA • Deploy the created gMSA to

specified servers

Microsoft Confidential 18
Configure the gMSA on the Host
The following steps are taken on the host:
1. Install the gMSA on the host
2. Test the gMSA on the host

Microsoft Confidential 19
Considerations before Deploying a gMSA
• Does the service support the use of gMSAs?
• Does the service require inbound or outbound authentication of the
gMSA?
• Member hosts for the service using the gMSA
• DNS host name for the service
• Ensure unique Service Principal Names (SPNs) for the service
• Ensure Kerberos Etypes are supported
• Password change interval (default is 30 days)
o Cannot change once instantiated

Microsoft Confidential 20
Demonstration: Deploy and
Test a gMSA on a Host
Advanced Security with a group
Managed Service Account
(gMSA)

Section 4: gMSA with Scheduled • How to use a gMSA with

Tasks scheduled tasks

Microsoft Confidential 22
Configure the Scheduled Tasks with a gMSA
1. Configure the Scheduled task with gMSA
• Action
• Trigger
• Principal
2. Provide the necessary rights to the gMSA

Microsoft Confidential 23
Demonstration: Use a gMSA
for Scheduled Tasks
Advanced Security with a group
Managed Service Account
(gMSA)

Section 5: gMSA with ADFS • How to use a gMSA with an

ADFS service

Microsoft Confidential 25
Scenarios for using a gMSA with ADFS
A gMSA can be used to configure the ADFS in one of the following ways:
1. Automatically created during the ADFS installation
2. Migrate an existing non-gMSA to a gMSA

Microsoft Confidential 26
Demonstration: Use ADFS
with a gMSA
Advanced Security with a group
Managed Service Account
(gMSA)

Section 6: gMSA with DirSync • How to use a gMSA with

DirSync

Microsoft Confidential 28
Demonstration: Use DirSync
with a gMSA
Advanced Security with a group
Managed Service Account
(gMSA)

Section 7: How to Evict a • How to evict a gMSA when the

Compromised Host from a gMSA host is compromised or when
te service is not used any
more.

Microsoft Confidential 30
Evicting a Compromised Host
• Remove a member host from the password retrieval security group
• Copy the compromised gMSA to a new gMSA
• Delete the compromised gMSA
• Add the new gMSA to the security group used for access control
• Rename new gMSA to the same name as that of the old gMSA to avoid
having to re-configure the SCM or IIS app pools of all the members of a
farm

Microsoft Confidential 31
Demonstration: Evicting Hosts
Out of a gMSA Configuration
Advanced Security with a group
Managed Service Account
(gMSA)

Section 8: Possible Issues with a • Possible issues and pitfalls

gMSA faced when using a gMSA

Microsoft Confidential 33
Unsupported Applications
• The following applications and components are not supported with
gMSA in their current iterations
o Windows Failover Cluster
 Services on a cluster can use gMSA or sMSA if the service supports it
o Microsoft Exchange Server
o Microsoft SharePoint

Note: This is a partial list only

Microsoft Confidential 34
Troubleshooting Workflow
• Are there gMSA creation errors?
o KDS Root key was not first created
 Create with Add-KdsRootKey
o 10 hours has not passed since KDS Root key creation
 Wait over 10 hours
o Active Directory replication problems
 Validate with repadmin.exe, Directory Service event logs
o Windows PowerShell syntax errors

Microsoft Confidential 35
Troubleshooting Workflow (continued)
• Are you failing to configure an application on a member host? (cannot install
service account. “Access Denied”)
o Check Security-NetLogon operational log
o Host is not part of the allowed group
 Add host to group
 Validate Active Directory replication
 Restart host
o Host has not yet added allow group to its token/ticket-granting ticket (TGT)
 Validate Active Directory replication
 Restart host
o gMSA was not installed
 Install using Install-AdServiceAccount
 Check vendor documentation for gMSA support

Microsoft Confidential 36
Troubleshooting Workflow (continued)
• Is there a problem with gMSA authentication?
o Check Security-NetLogon operational log
o Service or application fails to log on
 Ensure that you are using a domain name with $ at the end of the gMSA account name
 Ensure that no password has been specified
 Validate Active Directory availability (Check Replication and DS Event Logs)
 Validate Kerberos encryption support
o Service or application fails to authenticate remote connections inbound and/or
outbound
 Ensure correct Service Principal Names are specified against the gMSA
 Ensure no duplicate SPNs with SETSPN.EXE /X or /Q
o Application does not sMSA
 Contact the vendor for an updated version

Microsoft Confidential 37
Demonstration:
Troubleshooting a gMSA
Microsoft Confidential 39