This week, I needed to figure out how to use a group Managed Service Account for an on-premises data gateway cluster. Our documentation says you can do it, but the traditional methods for using a gMSA (i.e., enter the user account and leave the password field blank) don’t work with our documentation for the app (currently here: https://docs.microsoft.com/en-us/data-integration/gateway/service-gateway-service-account).
So here we are.
TL;DR: You can configure the gateway to use a Managed Service Account. And now you’ll see how.
Create a Group Managed Service Account
Before you can configure the data gateway to use a managed service account, you need to create the account. If you will be configuring a data gateway cluster, you may want to consider using a group Managed Service Account (as opposed to a standard Managed Service Account) so that multiple computers can use the same service account.
In order to use a group Managed Service Account, your forest must be updated to at least the Windows Server 2012 schema. You can check the current version of the schema with the PowerShell command:
(Get-ADObject (Get-ADRootDSE).schemaNamingContext -properties objectVersion).objectVersion
If the value is less than 52, you will need to update the schema. But you should probably do that anyway.
Ready? Here we go!
- On the computer hosting the data gateway, log in as an administrator with privileges to administer the domain. In order to create a gMSA account, you must be a member of Domain Admins or have been granted rights to create group Managed Service Accounts. For simplicity’s sake, I recommend doing this on the same computer where the data gateway is installed.
- Launch an elevated PowerShell console session.
- Run the following cmdlet to install the Active Directory Remote Server Administration Tools (RSAT) if they are not already present.
- Run the following cmdlet to configure a KDS Root Key (if it hasn’t been done before).
- Run the following command to create the group Managed Service Account. In this example, the name I’m going to use for the service account is
ms301dg-svcand the computer hosting the data gateway where this service account will be used is
ms301-sp.You’ll need to specify the computer account with a trailing $. For the DnsHostName parameter, I simply used the name of the service account and appended the domain suffix.Typically, when creating gMSAs, you don’t need to configure a password. As of this writing, the On-premises data gateway app user interface does not support configuring a gMSA natively.
New-ADServiceAccount -Name "ms301dg-svc" -PrincipalsAllowedToRetrieveManagedPassword ms301-sp$ -DnsHostName ms301dg-svc.ms301demo.com -Enabled $True
- Next, you’ll need to add the service account to the computer hosting the data gateway. This step must be performed on the computer hosting the data gateway.
Install-ADServiceAccount -Identity ms301dg-svc
At this point, you’ve now created and installed the group Managed Service Account on the computer hosting the data gateway. In the next section, we’ll configure the data gateway to use a new account.
Update the Data Gateway Service to use a Group Managed Service Account
You can use these steps to change the service account used by the on-premises data gateway.
- On the computer hosting the on-premises data gateway, launch the Services applet.
- Locate the On-premises data gateway service service and double-click it to open the properties sheet.
- Update the service name to the value for the gMSA you wish to use and click OK. When using a Managed Service Account, remember to append a $ to the account name and leave the password value blank.
- When notified that the Logon On As A Service right has been granted, click OK.
- Click OK again to acknowledge that the service has to be stopped and restarted manually.
- Restart the service.
- Launch the On-premises data gateway app. When prompted, sign in as an administrator of this data gateway.
- Select the Migrate, restore, or takeover an existing gateway option and click Next.
- Enter the recovery key you created when you set up the gateway and click Configure.
- Click Close to exit the data gateway app configuration.
The update process is complete. Woo! You get a cookie!