How To Configure gMSA in AD Connector for ISC

Introduction

So been playing around with the newly release capability of our AD connector to use Group Managed Service Accounts (gMSA). Now, I am no AD expert and this article will evolve but this is a quick test I have done in my homelab AD setup. 

NOTE: These are not official steps and I am not an AD expert. Please test in your SB environment and undertand and adjust each command per Microsoft and your own AD deployment guidelines.

Infrastructure

  • AD Domain: abc.local
  • Functional Level: Windows Server 2016
  • Domain Controller (one): dc1.abc.local
  • IQService: Running on domain controller “dc1”, Non TLS on Port 6050

Steps

  • Generate a root key for it to be available immediately 
  • Create a new managed service account called GMSA_ACCOUNT. DC1 is part of the “IQService Servers” group so we allow computers in that to retrieve password. We can also just mention the server directly if not in a group as serverName$

This will show up the account

  • Add UPN for the account as its missing at this stage by manually editing the attribute in Attribute Editor

  • Run the Install-ADServiceAccount account command

    • Run the following command to purge Kerberos tickets associated with the Local System Account
    • Add the account as a local Administrator to the machine running IQService so that it can start the service

    • Run the Set-ADServiceAccount for it to allow to retrieve its own password

      • On the IQService service goto properties -> Log On -> Change this to use the gMSA account and click on OK. You can follow my guide on how to install IQService as well from scratch if you need. 

      • Give the gMSA account full rights to the IQService Folder

      • Give the gMSA account Account Operators right or appropriate permissions to do its tasks in AD.
      • Restart IQService (or server for good measure).
      • Now setup a AD source the normal way but slight changes for Domain Settings page (Using 389 SASL for gMSA)

      • On the IQService page configure the non TLS port

      • Give it a test connection and should be all GREEN 🙂 

      Additional Notes

      • You can setup TLS Client Auth with IQService by just creating a local account in the IQService box with a password and adding it to configuration and to IQService via IQService.exe -a abc\gsmatesttls option

      • The Set-ADServiceAccount command property -PrincipalsAllowedToRetrieveManagedPassword can be passed with multiple server names and account names. But we need to pass them as a list. Otherwise it seems to wipe the previous servers and keep the last one

      In the above, we are allowing the GMSA_ACCOUNT$ to retrieve its own password and also allowing multiple IQService servers to use same account to retrieve it (in previous example we had used a group “IQService Servers”)

      Conclusion

      By following these steps, you can successfully configure gMSA in AD Connector for ISC, ensuring better security and management of service accounts. Test in your environment and adjust settings as needed.

      AD Home Lab LDAPS Setup for SailPoint IDN TLS Connection

      Welcome 2020 (Or not)!!! 

      Really this year needs to end. Period. Hope everyone is keeping safe and indoors as much as possible.

      Been a while I haven’t written something.

      Anyways I had a local VM for Active Directory running for my home lab for SailPoint IDN. Now I wanted to setup TLS connection for it. So I thought easy

      1. Create a csr request in AD
      2. Generate a crt
      3. Import the cert in AD
      4. Test Connection via ldp or IDN.

      I didn’t want to go through installing a AD CA role for this one process. So I thought I will use OpenSSL which was installed on my Mac. There are many excellent guides on how to enable LDAPS in AD by generating a self signed certificate. By far the easiest I found was this one

      But what I found was that the cert being generated didn’t contain the SAN. Found many such issues linked online with openssl command. This is how I fixed it.

      Followed the guide till where v3ext.txt is being generated. But used my own as below

      The IP Address and additional DNS is just an example. My domain name in example is “abc.local” and DC name is “dc1.abc.local”. You can add additional DNS entries as per your requirements

      And modified the command to execute this file

      Rest is all the same in guide. You will get the certificate generated with SAN and imported into your DC. LDAPS will work and IDN and IQService will connect via TLS. And forget about it for 10 years 😛 

      Aah the green box of approval from IDN!!! Gods are happy & everything is good in world again!!! 

      Hope it helps someone setup their own AD lab at home for AD LDAPS TLS connection without a CA server. Of course this will not be a problem in an enterprise deployment.

      References