Installation with GMSA Account
  • 22 Aug 2023
  • 2 Minutes to read
  • Dark
    Light
  • PDF

Installation with GMSA Account

  • Dark
    Light
  • PDF

Article summary

What is GMSA (Group Managed Service Account)?

Group Managed Service Accounts (GMSAs) are managed domain accounts that help to secure Windows NT Services. GMSA's can run on a single server or on a server farm, such as systems behind a Network Load Balancing or Internet Information Services (IIS) server. GMSA principal & password will be handled by the Windows operating system. GMSAs offer a single identity solution with greater security. At the same time, it also helps to reduce administrative overhead. To understand more about the GMSA click here.

Permissions required for GMSA account

As the GMSA account will be used as a log-in for the Atomic Scope web application, NT Services, and SQL Server database, it must have some permissions to run Atomic Scope smoothly.
The permissions include:

  • Sign-On permissions
  • IIS permissions to access the Web Application
  • Database permissions and roles to access the Atomic Scope Database
Note:
  • Ensure GMSA account is enabled and active in Active directory
  • Ensure Microsoft Key Distribution Service is up & running because this service will manage the GMSA account password state in windows

GMSA Configuration in AtomicScope Installer

Fresh Installation

During a fresh installation, the GMSA account option is available under the Service Account detail section in IIS & Service account dialog.

FreshInstall.png

  • In the installer, navigate to the IIS & Service account dialog
  • Enter GMSA account name with Domain name in Username field in the format(DomainName\GmsaAccountName$)
  • Check GMSA Account option to indicate the installer that the entered account is a GMSA account. Enabling this option will disable the password field automatically as password is auto-managed by windows.
  • Click Next to Authenticate the account by verifing that the account is available & active in Domain's Active directory.

Upgrade Installation

During an Upgrade installation, the GMSA account option is available separately for the Application Pool and the Monitoring Service credentials.

UpgradeInstall.png

  • Similar to Fresh Installation, the GMSA account name need to be filled in the UserName field according the format(DomainName\GmsaAccountName$)
  • Check GMSA Account option
  • After entering the account details, click Validate for Account Authentication
  • If authentication is successful, click Upgrade to complete the installation, else re-enter the valid GMSA Account credentials.
  • During an upgrade, if you have already used GMSA during a fresh installation, the GMSA account details will be auto-populated in this dialog.
Note:
  • Different GMSA accounts can be used for different installation features during the Upgrade. However, make sure that both the accounts are mapped to the Atomic Scope Database Login with required database permissions & roles before performing the upgrade.
  • During a fresh installation, the database user login mapping will be handled by the Atomic Scope installer. No manual intervention is required.

The provided GMSA account will be mapped as Login for the selected installation features like Web Application, Monitoring Service, and SQL Server database in Atomic Scope.


Was this article helpful?