You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Skip to end of banner
Go to start of banner

Configure Group Managed Service Accounts

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

If you want to run your EmpowerID services and app pools as group managed service accounts (gMSA), this topic provides details on how to configure your domain controller, SQL Server, and the computers where you run the service. For more information about such service accounts, see Microsoft's gMSA Overview topic.

Configure your domain controller

  1. Download the PowerShell script located here on your domain controller machine.

  2. Open PowerShell as an administrator and run the script, providing the following parameters:

    • ServiceAccountName – A name for the service account you are creating

    • DNSHostName – The DNS host name for the service account (e.g., http://addomain.com or mycompany.internal)

    • ServerList – The servers you use for EmpowerID (SQL, DC, computers where you run the service as a service account) each followed by a dollar sign (e.g. sql02$, prod-dc01$, my-server$)

  3. The verify the account, open Active Directory Users and Computers, expand your domain, and look under the Managed Service Accounts node.

Configure SQL Server

Next, give your Group Managed Service Account access to the SQL database.

  1. Open Microsoft SQL Server Management Studio and connect to your server that hosts EmpowerID.

  2. In the Object Explorer, expand the Security node, right-click Logins, and select New Login.

  3. In the Login - New window that appears, next to Login name, enter your DNS Host and new Group Managed Service Account name separated by a back slash and with a trailing dollar sign. (e.g., ADDOMAIN\kimgMSA$)

  4. At the top left, under Select a page, select User Mapping.

  5. Under Users mapped to this login, select EmpowerID. Your gMSA appears in the user column.

  6. In the Default Schema column, type dbo.

  7. Under Database role membership for: EmpowerID, select the following roles and click OK.

    • db_owner

    • EmpowerID Developer

    • EmpowerIDService

    • public

The login appears in Microsoft SQL Server Management Studio under the Security > Logins node.

Configure computers to run the service

  1. On each machine where you want to run the service, download the script located here to install your new Group Managed Service Account.

  2. Run the script as an administrator.

  3. Supply your ServiceAccountName when prompted, or use the following command to run the script, replacing kimgMSA with your account.

    .\GMSA_Install-ADServiceAccount.ps1 -ServiceAccountName kimgMSA

  4. The value True appears in the results to indicate that the service account installed successfully.

  5. From the Start menu, open Computer Management, and add the service account to the Administrators group using the following steps.

    1. Expand System Tools, then Local Users and Groups, and select Groups.

    2. Double-click the Administrators group, and in the dialog that appears, click the Add button.

    3. In the dialog that appears, in the Enter object names to select box, enter your DNS host name and gMSA name separated by a back slash, e.g. addomain\kimgMSA, and click Check Names. The service account name appears underlined, without the DNS host.

    4. Click OK. The service account is added to the list of Administrators group members.

Run the service with the GMSA

  1. On your EmpowerID machine open services.msc.

  2. Right-click the EmpowerID Web Role Service and click Properties.

  3. In the dialog that appears, select the Log On tab, and next to This account, enter your DNS host and gMSA name followed by the dollar sign, e.g. addomain\kimgMSA$.

  4. Be sure that the password fields are cleared, and click OK.

  5. A Services message box informs you that the account has been granted the Log On As A Service right. Click OK.

  6. Repeat these steps to have the service account run the EmpowerID Worker Role Service.

Configure app pools to use the service account

  1. Download the PowerShell script located here onto your EmpowerID machine.

  2. Run the script as an administrator.

  3. When prompted, supply your DNS Host and gMSA account followed by the dollar sign, e.g. addomain\kimgMSA$, or use the following command to run the script, replacing addomain and kimgMSA with your DNS and account name.

    .\EID_SetAppPoolIdentity.ps1 -Account addomain\kimgMSA$

  4. To verify the changes, open IIS Manager, expand the EmpowerID connection, and click Application Pools.
    You should see each EmpowerID application pool has the service account as its identity.

IN THIS ARTICLE

  • No labels