Skip to content

Undocumented Features

The hosting venue has changed to serve you better.

  • Home
  • How-to Series
  • Buy my books
  • Privacy Policy
  • About Me
    • Contact
  • Admin
Posted on April 27, 2020April 27, 2020 by Aaron Guilmette

Using a Group Managed Service Account (gMSA) with a Power Platform Data Gateway

       
5/5 - (3 votes)

This week, I needed to figure out how to use a group Managed Service Account for an on-premises data gateway cluster.  Our documentation says you can do it, but the traditional methods for using a gMSA (i.e., enter the user account and leave the password field blank) don’t work with our documentation for the app (currently here: https://docs.microsoft.com/en-us/data-integration/gateway/service-gateway-service-account).

So here we are.

TL;DR: You can configure the gateway to use a Managed Service Account.  And now you’ll see how.

  • Create a Group Managed Service Account
  • Update the Data Gateway Service to use a Group Managed Service Account

Create a Group Managed Service Account

Before you can configure the data gateway to use a managed service account, you need to create the account. If you will be configuring a data gateway cluster, you may want to consider using a group Managed Service Account (as opposed to a standard Managed Service Account) so that multiple computers can use the same service account.

In order to use a group Managed Service Account, your forest must be updated to at least the Windows Server 2012 schema.  You can check the current version of the schema with the PowerShell command:

(Get-ADObject (Get-ADRootDSE).schemaNamingContext -properties objectVersion).objectVersion

If the value is less than 52, you will need to update the schema.  But you should probably do that anyway.

Ready? Here we go!

  1. On the computer hosting the data gateway, log in as an administrator with privileges to administer the domain.  In order to create a gMSA account, you must be a member of Domain Admins or have been granted rights to create group Managed Service Accounts. For simplicity’s sake, I recommend doing this on the same computer where the data gateway is installed.
  2. Launch an elevated PowerShell console session.
  3. Run the following cmdlet to install the Active Directory Remote Server Administration Tools (RSAT) if they are not already present. 
    Install-WindowsFeature RSAT-ADDS
  4. Run the following cmdlet to configure a KDS Root Key (if it hasn’t been done before). 
    Add-KdsRootKey -EffectiveImmediately
  5. Run the following command to create the group Managed Service Account.  In this example, the name I’m going to use for the service account is ms301dg-svc and the computer hosting the data gateway where this service account will be used is ms301-sp. You’ll need to specify the computer account with a trailing $.  For the DnsHostName parameter, I simply used the name of the service account and appended the domain suffix.Typically, when creating gMSAs, you don’t need to configure a password.  As of this writing, the On-premises data gateway app user interface does not support configuring a gMSA natively. 
    New-ADServiceAccount -Name "ms301dg-svc" -PrincipalsAllowedToRetrieveManagedPassword ms301-sp$     -DnsHostName ms301dg-svc.ms301demo.com -Enabled $True
  6. Next, you’ll need to add the service account to the computer hosting the data gateway.  This step must be performed on the computer hosting the data gateway. 
    Install-ADServiceAccount -Identity ms301dg-svc

At this point, you’ve now created and installed the group Managed Service Account on the computer hosting the data gateway.  In the next section, we’ll configure the data gateway to use a new account.

Update the Data Gateway Service to use a Group Managed Service Account

You can use these steps to change the service account used by the on-premises data gateway.

  1. On the computer hosting the on-premises data gateway, launch the Services applet.
  2. Locate the On-premises data gateway service service and double-click it to open the properties sheet.
  3. Update the service name to the value for the gMSA you wish to use and click OK.  When using a Managed Service Account, remember to append a $ to the account name and leave the password value blank.
  4. When notified that the Logon On As A Service right has been granted, click OK.
  5. Click OK again to acknowledge that the service has to be stopped and restarted manually.
  6. Restart the service.
  7. Launch the On-premises data gateway app.  When prompted, sign in as an administrator of this data gateway.
  8. Select the Migrate, restore, or takeover an existing gateway option and click Next.
  9. Enter the recovery key you created when you set up the gateway and click Configure.
  10. Wait.
  11. Click Close to exit the data gateway app configuration.

The update process is complete.  Woo! You get a cookie!

CategoriesConfiguration, Information Tagsdata gateway, on-premises data gateway, powerplat, power platform, gMSA, managed service account, group managed service account

Post navigation

Previous PostPrevious Disabling Writeback for GALSync Contacts
Next PostNext Update to AAD Network Communications Test

Recent Posts

  • Ask me Anything: A ChatGPT book excerpt (read: free chapter) July 17, 2024
  • Ask Me Anything: Real-world conversations with ChatGPT June 24, 2024
  • Delete events in resource calendars May 11, 2024
  • Power Platform and the AI Revolution is now available for pre-order! May 10, 2024
  • PowerShell Mouse Jiggler May 6, 2024

Categories

Sponsored

Sponsored

Meaningless Stats

  • 79
  • 775
  • 49,843

Sponsored

Follow Me

Privacy Policy Proudly powered by WordPress