Group Managed Service Account (gMSA)

Group Managed Service Account (gMSA) is in many ways similar to Managed Service Accounts. It has automatic password management, a long password that is automatically periodically updated. The difference between Managed Service Accounts and gMSA is that multiple machines can use the same account. So, if you are running a service in a server farm and you want to use Integrated Authentication, you should use gMSA. When the client is requesting a Kerberos ticket to access the service it doesn’t matter which instance on the server farm processes the request.

In order to get gMSA to work in the Active Directory, and a prerequisite for using gMSA during Gatekeeper installation, the domain administrator has to create the Key Distribution Service root key. That can be done by logging in to a domain controller (Windows Server 2012 or later) and running “Add-KdsRootKey -EffectiveImmediately” from PowerShell that has the Windows PowerShell Active Directory module installed.

NOTE

Even though the flag -EffectiveImmediately is used, it can take some time for the DC to create the KDS root key. Get-KdsRootKey can be used in order to verify that the KDS root key has been created.

More information on gMSA: https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview

More information on creating KDS root key: https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/create-the-key-distribution-services-kds-root-key

Creating gMSA during Gatekeeper installation

Administrators can let the installation process create the gMSA or the administrator can pick an existing gMSA. The Gatekeeper Installation wizard will set up the necessary permissions for the machine where the Gatekeeper is installed to be allowed to use the gMSA account. If the gMSA account is created during the installation, the server that is installing the Gatekeeper has to be restarted in order to get the necessary tokens to access the gMSA account. The restart process should be smooth and re-open the installation wizard when signed in, which should pick up from before the restart.