gMSA supported Applications list

  • 85 Views
  • Last Post 15 February 2017
bshwjt posted this 04 February 2017

Hi,
Could you please provide a list of gMSA supported Applications.
RegardsBiswajit

Order By: Standard | Newest | Votes
bshwjt posted this 05 February 2017


On 04-Feb-2017 10:53 PM, "Biswajit Biswas" <bshwjt@xxxxxxxxxxxxxxxx> wrote:
Hi,
Could you please provide a list of gMSA supported Applications.
RegardsBiswajit

kool posted this 08 February 2017

I suspect that no such list exists.

 

Even within Microsoft products the support for gMSAs is inconsistent. For example, SQL Server as of I believe v2014 allows one to specify a gMSA during setup.

Windows Server itself supports gMSAs for use with services and with scheduled tasks. The problem though is that the server UI has very limited support for gMSAs. You have to use PowerShell to create them, install them, and configure scheduled tasks to use

them.

 

I just did some testing on Server 2016. In the Services snap-in you can specify a gMSA as the service logon account. However, in the Schedule Tasks UI you can’t

specify a gMSA. I find this to be confounding. They both use the Object Picker to allow one to find a suitable account. From the Task Scheduler the Object Picker is titled “Select User or Group”. However, from the Services GUI the Object Picker is titled “Select

User or Service Account.” Clearly the Object Picker code has already been updated to support gMSAs. Why doesn’t the Task Scheduler app use this not-so-new functionality?

 

I’m not anti-PowerShell but I find it perplexing that it is taking so long to get functionality into the GUI that’s been in PS for several releases. PS makes

sense for repetitive operations, but for one-off configuration it really ought to be in the GUI.

 

    Eric

 

show

bshwjt posted this 09 February 2017

Thanks Eric.I also implemented gMSA on win2012 R2 for scheduled tasks but can't find anything on UI. Everything can be done with PS. I need to find how application is integrated with gMSA so atleast we can find the apps whether gMSA will work on that or not. That is such cool feature and I love that.Secutity is a hot topic all the time and we can restrict that account on various manners.Will test that on iis app pool shortly and scheduled tasks is already done (working fine).
Thanks and RegardsBiswajit BiswasMicrosoft Identity Engineer
On 09-Feb-2017 4:52 AM, "Eric Kool-Brown" <kool@xxxxxxxxxxxxxxxx> wrote:
















I suspect that no such list exists.

 

Even within Microsoft products the support for gMSAs is inconsistent. For example, SQL Server as of I believe v2014 allows one to specify a gMSA during setup.

Windows Server itself supports gMSAs for use with services and with scheduled tasks. The problem though is that the server UI has very limited support for gMSAs. You have to use PowerShell to create them, install them, and configure scheduled tasks to use

them.

 

I just did some testing on Server 2016. In the Services snap-in you can specify a gMSA as the service logon account. However, in the Schedule Tasks UI you can’t

specify a gMSA. I find this to be confounding. They both use the Object Picker to allow one to find a suitable account. From the Task Scheduler the Object Picker is titled “Select User or Group”. However, from the Services GUI the Object Picker is titled “Select

User or Service Account.” Clearly the Object Picker code has already been updated to support gMSAs. Why doesn’t the Task Scheduler app use this not-so-new functionality?

 

I’m not anti-PowerShell but I find it perplexing that it is taking so long to get functionality into the GUI that’s been in PS for several releases. PS makes

sense for repetitive operations, but for one-off configuration it really ought to be in the GUI.

 

    Eric

 

show

kool posted this 09 February 2017

Hi Biswajit,

 

I was wondering how one would programmatically acquire a logon token for a gMSA. In the past I’ve done a more conventional programmatic logon in C/C++ by calling

the Win32 API LogonUser and then using the returned token for thread impersonation. I’m guessing that you can call LogonUser and specify a gMSA such that a password does not need to be supplied. However I am unable to find anything on the interwebs that specifically

refers to this scenario nor have I actually tried it myself.

 

And, yes, IIS now supports gMSA as an app pool identity which is also certainly useful.

 

Correcting my statement below, I went back and reviewed my notes which say that gMSA support in SQL Server started with version 2012.

 

Cheers,

 

    Eric

 

show

bdesmond posted this 10 February 2017

If you supply SERVICEACCOUNTPASSWORD as the password (which is defined in lmaccess.h), you should get the desired outcome. Footnote 38 in the patent for

the feature (http://www.google.com/patents/US20090328154) seems to be the only place this is actually documented.

 

Thanks,

Brian

 

 

 



Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132



 

show

joe posted this 10 February 2017

Wow, that's a cool nugget of info from Brian D.! Nice work digging that up.


show

kool posted this 10 February 2017

Agree, very interesting information!

 

I’d not noticed these two new lines in lmaccess.h (well, new since I’ve done any extensive C/C++ coding):

#define SERVICEACCOUNTPASSWORD TEXT("SA{262E99C9-6160-4871-ACEC-4E61736B6F21}")

#define SERVICEACCOUNTSECRETPREFIX TEXT("SC{262E99C9-6160-4871-ACEC-4E61736B6F21}")

 

A bit more searching yields this:



https://msdn.microsoft.com/en-us/library/windows/desktop/hh448526(v=vs.85).aspx, how one would detect this magic text in a Cred SSP to initiate the gMSA logon. It is a bit of a hack, really, where the SSP has to see this magic value in the passed-in password

and then call the GetServiceAccountPassword to get the current gMSA password to do a LogonUser for it.

 

This information is so well hidden that one could conclude that MS doesn’t really want non-MS folks writing a program that can obtain a login token from a gMSA.

Of course if you write a service then the Service Controller will do this for you (and ditto for an IIS app or scheduled task).

 

Thanks,

 

    Eric

 

 

show

eccoleman posted this 10 February 2017

















Does this mean one could conceivably take advantage of this feature in Powershell? 




Just curious! 




--

Erik Coleman

University of Illinois at Urbana-Champaign 




----- Reply message -----


show

bdesmond posted this 10 February 2017

Remarks #1 on Eric’s link implies no, at least not without running your PS process with TCB (Act As Part of the Operating System in the UI) which is not

really something you’d generally do. I’m not sure offhand what “is a network service” means in terms of allowed callers.

 

 

 



Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132



 

show

SamErde posted this 15 February 2017

Top tip, Brian! I am curious to learn how you got it down to that specific text. Secti

show

SamErde posted this 15 February 2017

Aaaand I just re-read the entire thread, finding Eric's answer to my question. The lmaccess.h file is where SERVICEACCOUNTPASSWORD is defined.
[Puts self in RTFM/email penalty box.]
Sam


show

Close