How To Configure gMSA in AD Connector for ISC

Introduction

So been playing around with the newly release capability of our AD connector to use Group Managed Service Accounts (gMSA). Now, I am no AD expert and this article will evolve but this is a quick test I have done in my homelab AD setup. 

NOTE: These are not official steps and I am not an AD expert. Please test in your SB environment and undertand and adjust each command per Microsoft and your own AD deployment guidelines.

Infrastructure

  • AD Domain: abc.local
  • Functional Level: Windows Server 2016
  • Domain Controller (one): dc1.abc.local
  • IQService: Running on domain controller “dc1”, Non TLS on Port 6050

Steps

  • Generate a root key for it to be available immediately 
  • Create a new managed service account called GMSA_ACCOUNT. DC1 is part of the “IQService Servers” group so we allow computers in that to retrieve password 

This will show up the account

  • Add UPN for the account as its missing at this stage by manually editing the attribute in Attribute Editor

  • Run the Install-ADServiceAccount account command

    • Add this account as a local Administrator to the machine running IQService so that it can start the service

    • Run the Set-ADServiceAccount for it to allow to retrieve the password

      • On the IQService service goto properties -> Log On -> Change this to use the gMSA account and click on OK. You can follow my guide on how to install IQService as well from scratch if you need. 

      • Give the gMSA account full rights to the IQService Folder

      • Restart IQService (or DC1 for good measure).
      • Now setup a AD source the normal way but slight changes for Domain Settings page (Using 389 SASL for gMSA)

      • On the IQService page configure the non TLS port

      • Give it a test connection and should be all GREEN 🙂 

      Conclusion

      By following these steps, you can successfully configure gMSA in AD Connector for ISC, ensuring better security and management of service accounts. Test in your environment and adjust settings as needed.

      AD Home Lab LDAPS Setup for SailPoint IDN TLS Connection

      Welcome 2020 (Or not)!!! 

      Really this year needs to end. Period. Hope everyone is keeping safe and indoors as much as possible.

      Been a while I haven’t written something.

      Anyways I had a local VM for Active Directory running for my home lab for SailPoint IDN. Now I wanted to setup TLS connection for it. So I thought easy

      1. Create a csr request in AD
      2. Generate a crt
      3. Import the cert in AD
      4. Test Connection via ldp or IDN.

      I didn’t want to go through installing a AD CA role for this one process. So I thought I will use OpenSSL which was installed on my Mac. There are many excellent guides on how to enable LDAPS in AD by generating a self signed certificate. By far the easiest I found was this one

      But what I found was that the cert being generated didn’t contain the SAN. Found many such issues linked online with openssl command. This is how I fixed it.

      Followed the guide till where v3ext.txt is being generated. But used my own as below

      The IP Address and additional DNS is just an example. My domain name in example is “abc.local” and DC name is “dc1.abc.local”. You can add additional DNS entries as per your requirements

      And modified the command to execute this file

      Rest is all the same in guide. You will get the certificate generated with SAN and imported into your DC. LDAPS will work and IDN and IQService will connect via TLS. And forget about it for 10 years 😛 

      Aah the green box of approval from IDN!!! Gods are happy & everything is good in world again!!! 

      Hope it helps someone setup their own AD lab at home for AD LDAPS TLS connection without a CA server. Of course this will not be a problem in an enterprise deployment.

      References