Versions Compared

Old Version 1

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

If you want to run your EmpowerID services and app pools as group managed service accounts (gMSA), this topic provides details on how to configure your domain controller, SQL Server, and the computers where you run the service. For more information about such service accounts, see Microsoft's gMSA Overview topic.

Configure your domain controller

Download

  1. Copy and save the below PowerShell script

located here on your domain controller machine. Open

  1. .

    Code Block
    languagepowershell
    # Run this script on Domain Controller

param(
    [Parameter(Mandatory=$true)][string] $ServiceAccountName,
    [Parameter(Mandatory=$true)][string] $DNSHostName,
    [Parameter(Mandatory=$true)][string[]] $ServerList
)

# Check if Server exists
foreach ($Server in $ServerList) {
    try {
        Get-ADComputer $Server | Out-Null
        if ($Server[$Server.Length - 1] -ne '$') {
            Write-Output "`r`nPlease append a dollar sign `$ to each server name."
            exit
        }
    }   
    catch {
        Write-Output "$Server does not exist"
        exit
    }   
}

#Get KDS Root Key 
$KdsRootKey = Get-KdsRootKey
if ($KdsRootKey -eq $null) {
    Add-KdsRootKey -EffectiveTime ((get-date).AddHours(-10))
}

Install-WindowsFeature rsat

try {
    $ServiceAccount = Get-ADServiceAccount -Identity $ServiceAccountName -ErrorAction SilentlyContinue
    if (Test-ADServiceAccount -Identity $ServiceAccountName) {
        Set-ADServiceAccount -Identity $ServiceAccountName -DNSHostName $DNSHostName -PrincipalsAllowedToRetrieveManagedPassword $ServerList
    }
}
catch {
    New-ADServiceAccount -Name $ServiceAccountName -DNSHostName $DNSHostName -PrincipalsAllowedToRetrieveManagedPassword $ServerList
}

  2. On your domain controller, open PowerShell as an administrator and run the above script, providing values for the following parameters:

    • ServiceAccountName – A name for the service account you are creating

    • DNSHostName – The DNS

host name

    • hostname for the service account (e.g.,

http://addomain

    • mycompanydomain.com or mycompany. internal)

    • ServerList – The servers you use for EmpowerID (SQL, DC, computers where you run the service as a service account), each followed by a dollar sign (e.g., sql02$, prod-dc01$, my-server$)

The verify

  1. Verify the account

, open

  1. by opening Active Directory Users and Computers,

expand

  1. expanding your domain, and

look

  1. looking under the Managed Service Accounts node.

Configure SQL Server

Next, give your Group Managed Service Account access to the SQL database.

  1. Open Microsoft SQL Server Management Studio and connect to your server that hosts EmpowerID.

  2. In the Object Explorer, expand the Security node, right-click Logins, and select New Login.

  3. In the Login - New window

that appears,

  1. next to Login name, enter your DNS Host and new Group Managed Service Account name separated by a

back slash

  1. backslash and with a trailing dollar sign. (e.g., ADDOMAIN\kimgMSA$)

  2. At the top left, under Select a page, select User Mapping.

  3. Under Users mapped to this login, select EmpowerID. Your gMSA appears in the user column.

  4. In the Default Schema column, type dbo.

  5. Under Database role membership for: EmpowerID, select the following roles and click OK.

    • db_owner

    • EmpowerID Developer

    • EmpowerIDService

    • public

The login appears in Microsoft SQL Server Management Studio under the Security > Logins node.

Configure computers to run the service

On

  1. Copy and save the following PowerShell script on each machine where you want to run the service

, download the script located here to install your new Group Managed Service Account.

  1. .

    Code Block
    languagepowershell
    param(
    [Parameter(Mandatory=$true)][string] $ServiceAccountName
)

#Install AD Module
Add-WindowsFeature RSAT-AD-PowerShell | Out-Null

#Install AD Service Account on a computer
try {
    Install-ADServiceAccount -Identity $ServiceAccountName
    Test-ADServiceAccount $ServiceAccountName
}
catch {
    $ErrorMessage = $_.Exception.Message
    Write-Output "Failed to Install-ADServiceAccount with Error Message:`r`n $ErrorMessage `r`n`r`n You either did not run the script as Admin or did not give the Service Account the right to be installed on a specified computer."
}

  2. Run the script as an administrator.

  3. Supply your ServiceAccountName when prompted, or use the following command to run the script, replacing kimgMSA with your account.

    Code Block
    languagepowershell
    .\GMSA_Install-ADServiceAccount.ps1 -ServiceAccountName kimgMSA

  4. The value True appears in the results to indicate that the service account was installed successfully.

  5. From the Start menu, open Computer Management, and add the service account to the Administrators group using the following steps.

    1. Expand System Tools, then Local Users and Groups, and select Groups.

    2. Double-click the Administrators group, and click the Add button in the dialog that appears

, click the Add button

    1. .

    2. In the dialog that appears, in the Enter object names to select box, enter your DNS host name and gMSA name separated by a

back slash

    1. backslash, e.g., addomain\kimgMSA, and click Check Names. The service account name appears underlined

,

    1. without the DNS host.

    2. Click OK. The service account is added to the list of Administrators group members.

Run the service with the GMSA

  1. On your EmpowerID machine, open services.msc.

  2. Right-click the EmpowerID Web Role Service and click Properties.

  3. In the dialog that appears, select the Log On tab, and next to This account, enter your DNS host and gMSA name followed by the dollar sign, e.g. addomain\kimgMSA$.

  4. Be sure that the password fields are cleared, and click OK.

  5. A Services message box informs you that the account has been granted the Log On As A Service right. Click OK.

  6. Repeat these steps to have the service account run the EmpowerID Worker Role Service.

Configure app pools to use the service account

Download

  1. Copy and save the following PowerShell script

located here onto your EmpowerID machine.

  1. on each machine where you want to run the service.

    Code Block
    languagepowershell
    param (
    [Parameter(Mandatory=$true)][string] $Account # PROD\TestgMSAAccount
)

Import-Module WebAdministration

$AppPoolArray = "API Exchange Services",
				"API Sql",
				"API Web Garden",
				"API Workflow",
				"API Secure Services",
				"API SQL Web Services",
				"API Web Service Garden",
				"API Workflow Web Services",
				"EmpowerID",
				"EmpowerID Exchange Services",
				"EmpowerID IDP",
				"EmpowerID IDPs",
				"EmpowerID SQL Web Services",
				"EmpowerID UI",
				"EmpowerID Web API",
				"EmpowerID Web CDN",
				"EmpowerID Web Reports",
				"EmpowerID Web Service Garden",
				"EmpowerID Web Services",
				"EmpowerID Workflow Web Services"
foreach ($AppPool in $AppPoolArray) {
	Set-ItemProperty "IIS:\AppPools\$AppPool" -name processModel -value @{userName=$Account;identitytype=3} -ErrorAction SilentlyContinue
}

  2. Run the script as an administrator.

  3. When prompted, supply your DNS Host and gMSA account followed by the dollar sign, e.g., addomain\kimgMSA$, or use the following command to run the script, replacing addomain and kimgMSA with your DNS and account name.

    Code Block
    .\EID_SetAppPoolIdentity.ps1 -Account addomain\kimgMSA$

  4. To verify the changes, open IIS Manager, expand the EmpowerID connection, and click Application Pools.
    You should see each EmpowerID application pool has the service account as its identity.

Div
stylefloat: left; position: fixed;

IN THIS ARTICLE

Table of Contents
maxLevel4
minLevel2
stylenone

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet
nopaneltrue