You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Configure Group Managed Service Accounts
If you want to run your EmpowerID services and app pools as group managed service accounts (gMSA), this topic provides details on how to configure your domain controller, SQL Server, and the computers where you run the service. For more information about such service accounts, see Microsoft's gMSA Overview topic.
Configure your domain controller
Copy and save the below PowerShell script.
# Run this script on Domain Controller param( [Parameter(Mandatory=$true)][string] $ServiceAccountName, [Parameter(Mandatory=$true)][string] $DNSHostName, [Parameter(Mandatory=$true)][string[]] $ServerList ) # Check if Server exists foreach ($Server in $ServerList) { try { Get-ADComputer $Server | Out-Null if ($Server[$Server.Length - 1] -ne '$') { Write-Output "`r`nPlease append a dollar sign `$ to each server name." exit } } catch { Write-Output "$Server does not exist" exit } } #Get KDS Root Key $KdsRootKey = Get-KdsRootKey if ($KdsRootKey -eq $null) { Add-KdsRootKey -EffectiveTime ((get-date).AddHours(-10)) } Install-WindowsFeature rsat try { $ServiceAccount = Get-ADServiceAccount -Identity $ServiceAccountName -ErrorAction SilentlyContinue if (Test-ADServiceAccount -Identity $ServiceAccountName) { Set-ADServiceAccount -Identity $ServiceAccountName -DNSHostName $DNSHostName -PrincipalsAllowedToRetrieveManagedPassword $ServerList } } catch { New-ADServiceAccount -Name $ServiceAccountName -DNSHostName $DNSHostName -PrincipalsAllowedToRetrieveManagedPassword $ServerList }
On your domain controller, open PowerShell as an administrator and run the above script, providing values for the following parameters:
ServiceAccountName – A name for the service account you are creating
DNSHostName – The DNS hostname for the service account (e.g.,
mycompanydomain.com
ormycompany. internal
)ServerList – The servers you use for EmpowerID (SQL, DC, computers where you run the service as a service account), each followed by a dollar sign (e.g., sql02$, prod-dc01$, my-server$)
Verify the account by opening Active Directory Users and Computers, expanding your domain, and looking under the Managed Service Accounts node.
Configure SQL Server
Next, give your Group Managed Service Account access to the SQL database.
Open Microsoft SQL Server Management Studio and connect to your server that hosts EmpowerID.
In the Object Explorer, expand the Security node, right-click Logins, and select New Login.
In the Login - New window next to Login name, enter your DNS Host and new Group Managed Service Account name separated by a backslash and with a trailing dollar sign. (e.g., ADDOMAIN\kimgMSA$)
At the top left, under Select a page, select User Mapping.
Under Users mapped to this login, select EmpowerID. Your gMSA appears in the user column.
In the Default Schema column, type dbo.
Under Database role membership for: EmpowerID, select the following roles and click OK.
db_owner
EmpowerID Developer
EmpowerIDService
public
The login appears in Microsoft SQL Server Management Studio under the Security > Logins node.
Configure computers to run the service
Copy and save the following PowerShell script on each machine where you want to run the service.
param( [Parameter(Mandatory=$true)][string] $ServiceAccountName ) #Install AD Module Add-WindowsFeature RSAT-AD-PowerShell | Out-Null #Install AD Service Account on a computer try { Install-ADServiceAccount -Identity $ServiceAccountName Test-ADServiceAccount $ServiceAccountName } catch { $ErrorMessage = $_.Exception.Message Write-Output "Failed to Install-ADServiceAccount with Error Message:`r`n $ErrorMessage `r`n`r`n You either did not run the script as Admin or did not give the Service Account the right to be installed on a specified computer." }
Run the script as an administrator.
Supply your ServiceAccountName when prompted, or use the following command to run the script, replacing
kimgMSA
with your account..\GMSA_Install-ADServiceAccount.ps1 -ServiceAccountName kimgMSA
The value True appears in the results to indicate that the service account was installed successfully.
From the Start menu, open Computer Management, and add the service account to the Administrators group using the following steps.
Expand System Tools, then Local Users and Groups, and select Groups.
Double-click the Administrators group, and click the Add button in the dialog that appears.
In the dialog that appears, in the Enter object names to select box, enter your DNS host name and gMSA name separated by a backslash, e.g., addomain\kimgMSA, and click Check Names. The service account name appears underlined without the DNS host.
Click OK. The service account is added to the list of Administrators group members.
Run the service with the GMSA
On your EmpowerID machine, open services.msc.
Right-click the EmpowerID Web Role Service and click Properties.
In the dialog that appears, select the Log On tab, and next to This account, enter your DNS host and gMSA name followed by the dollar sign, e.g. addomain\kimgMSA$.
Be sure that the password fields are cleared, and click OK.
A Services message box informs you that the account has been granted the Log On As A Service right. Click OK.
Repeat these steps to have the service account run the EmpowerID Worker Role Service.
Configure app pools to use the service account
Copy and save the following PowerShell script on each machine where you want to run the service.
param ( [Parameter(Mandatory=$true)][string] $Account # PROD\TestgMSAAccount ) Import-Module WebAdministration $AppPoolArray = "API Exchange Services", "API Sql", "API Web Garden", "API Workflow", "API Secure Services", "API SQL Web Services", "API Web Service Garden", "API Workflow Web Services", "EmpowerID", "EmpowerID Exchange Services", "EmpowerID IDP", "EmpowerID IDPs", "EmpowerID SQL Web Services", "EmpowerID UI", "EmpowerID Web API", "EmpowerID Web CDN", "EmpowerID Web Reports", "EmpowerID Web Service Garden", "EmpowerID Web Services", "EmpowerID Workflow Web Services" foreach ($AppPool in $AppPoolArray) { Set-ItemProperty "IIS:\AppPools\$AppPool" -name processModel -value @{userName=$Account;identitytype=3} -ErrorAction SilentlyContinue }
Run the script as an administrator.
When prompted, supply your DNS Host and gMSA account followed by the dollar sign, e.g., addomain\kimgMSA$, or use the following command to run the script, replacing
addomain
andkimgMSA
with your DNS and account name..\EID_SetAppPoolIdentity.ps1 -Account addomain\kimgMSA$
To verify the changes, open IIS Manager, expand the EmpowerID connection, and click Application Pools.
You should see each EmpowerID application pool has the service account as its identity.
IN THIS ARTICLE