Discovery: How to use a Group Managed Service Account (GMSA) as the service account for Discovery?

Mark Radonic · ‎09-14-2021

What are GMSAs?:

Group managed service accounts (gMSAs) are managed domain accounts that you use to help secure services. gMSAs can run on a single server or on a server farm, such as systems behind a network load balancing or Internet Information Services (IIS) server. After you configure your services to use a gMSA principal, password management for that account is handled by the Windows operating system.

gMSAs offer a single identity solution with greater security. At the same time, to help reduce administrative overhead, they:

Set strong passwords: gMSAs use 240-byte, randomly generated complex passwords. The complexity and length of gMSA passwords minimizes the likelihood of a service getting compromised by brute force or dictionary attacks.
Cycle passwords regularly: gMSAs shift password management to the Windows operating system, which changes the password every 30 days. Service and domain administrators no longer need to schedule password changes or manage service outages to help keep service accounts secure.
Support deployment to server farms: The ability to deploy gMSAs to multiple servers allows for the support of load balanced solutions where multiple hosts run the same service.
Support simplified service principal name (SPN) management: You can set up an SPN by using PowerShell when you create an account. In addition, services that support automatic SPN registrations might do so against the gMSA, provided that the gMSA permissions are correctly set.

More info at the following link: GMSA by Microsoft

How Discovery Benefits from GMSA?:

Not only Discovery benefits from the security posture brought by GMSA concept but also administrators that usually needs to control and manage service accounts regularly.

What we will see in the following article is that:

You can choose the cycle of the password rotation of the GMSA for better security
You won't need to store password into ServiceNow instance
The GMSA user doesn't need to be member of a domain admin group
The computers which will be able to use the GMSA doesn't need to be in a domain admin group
The GMSA user that will be used as the mid server service account, doesn't need to be on the local admin group of the mid server

GMSA Implementation:

What will be presented here is the following:

Creating a KDS Root key on a Domain Controller
Creating a security group
Creating a GMSA account as described here: https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-star...
Allowing the security group to retrieve the password of the GMSA
Adding all computers to the security group
Adding the GMSA account to the local admin group of each computer (no need on the mid server)
Install the GMSA on all computers
Starting the mid server with the GMSA account: https://docs.servicenow.com/bundle/rome-servicenow-platform/page/product/mid-server/concept/mid-serv...
Create a windows credentials with the option “use mid server service account”
Launch a discovery on the server hosting mid server and another computer (see schema above)

Key Distribution Services KDS Root Key

Domain Controllers require a root key to generate the password for gMSA accounts.

The root key only needs to be created once, thus if there are already gMSA accounts in the domain, then there is no need to create the root key.

To determine if the root key exists, run Get-KdsRootKey in the forest root domain and child domain using Windows PowerShell (open the powershell window as an administrator):

In this example the root key already exists. To create a new on execute the following command:

Add-KdsRootKey -EffectiveImmediately

With the above command the root key will be operational in 10 hours. To bypass this you can execute the following command for test:

Add-KdsRootKey –EffectiveTime ((Get-Date).AddHours(-10))

The KDS Root Key can also be viewed using the Active Directory Sites and Services Console. In the console, select View then select Show Services Node:

Create a domain user group:

In the Active Directory Users and Computers, create a new group:

Add all computers to the group that should use the GMSA as a service account:

Create a Group Managed Service Account (gMSA)

The root key is available in the root domain and operational. let's now create a GMSA in the root domain.

When creating the gMSA you need to specify the computer accounts that will be allowed to make use of the gMSA. The gMSA will not work on any computers that are not specified in the PrincipalsAllowedToRetrieveManagedPassword attribute. You can specify the computer accounts using a comma separated list, or you can specify a security group (what has been done earlier), and then add the computer accounts to the security group instead.

New-ADServiceAccount -Name "gmsa-03" `
-DNSHostName "gmsa-03.XXX.XXX.XXX" `
-PrincipalsAllowedToRetrieveManagedPassword "GMSAGroup" `
-Description "gMSA for SN Discovery" `
-ManagedPasswordIntervalInDays 30 `
-Enabled $True

The gMSA account was created and can be seen in the Managed Service Accounts container:

Let’s view some of the properties for the gMSA account using Windows PowerShell. The command I use is as follows:

Get-ADServiceAccount gmsa-03 -Properties * | FL DNSHostName,KerberosEncryptionType,ManagedPasswordIntervalInDays,Name,PrincipalsAllowedToRetrieveManagedPassword,SamAccountName

Now we will install the GMSA account on the servers that need to use it (the ones that have been added to the security group).

the following command does this:

Install-ADServiceAccount gMSA-03

If you have an Access Denied error message it is normal. You need to restart the computer in order to take in account its belonging to the security group. When you relaunch the command it should work:

To test the installation of the GMSA, the following command can be executed:

Test-AdServiceAccount -Identity gmsa-03

Configure Discovery to use the GMSA service account

In order for Discovery to use the GMSA, it needs to be part of the local administrators group of each computer

The mid server needs to be installed by specifying the GMSA as the Mid server Service account. If the mid server has already been installed, you can change the "log on" property by specifying the new GMSA in the "services.msc" window. Or you can launch the following command (as an administrator) to change the user in the service:

sc config snc_mid_liferaymid obj=CORP\gmsa-03$

"snc_mid_liferaymid" is the service name of the mid server

the "$" at the end of the GMSA is to identify a GMSA user and that the password is managed by the system. So you need to leave the password field empty

Restart the mid server.

Verify if the mid server is up and running in the instance:

Now let's create a windows credentials for the discovery to run.

When selecting the "Windows credentials" type, name it and check the box "Use mid server service account" like below:

Verify that this is the only active windows credentials in the list:

Configure a schedule discovery with the mid server installed previously and the list of servers's ip addresses

Launch the discovery and it should discover your servers.

You can open back the windows credentials window and see the "Discovery IP affinity":

JusCuz · ‎11-16-2021

I'm able to set the GMSA on an existing service, however the service will not start, any ideas? I'm completely unable to set it on a new MID install, the 'Validate MID Service Settings' always returns an error with the GMSA account.

Mark Radonic · ‎11-17-2021

Hello,

Can you confirm the service account provided has the log on as service right, which is required for an account to be used as the log on user for a service.

If it still doesn't work, can you try to install the mid with a normal service account, and then change this one with the GMSA account from the services window or change it with the following command:

sc config snc_mid_liferaymid obj=CORP\gmsa-03$

LC10 · ‎12-14-2021

Hi Mark,

Thank you for this article. It could really help in a security perspective.

I have the same problem of the service not starting. I'm getting an error 5: Access is denied. The account is local admin and has the proper right as log on as a service.

BTW I have multiple mid server instance with different name, working normally with stadard service account.

Thanks.

swarner · ‎12-14-2021

There are a couple of things to check.

If the gMSA account was setup in AD by a different team then I suggest you check that they set it up as ServiceNow recommends. Make sure that Get-ADServiceAccount run from the MID server computer returns the correct results.

Secondly, when you add the gMSA account to the MID server service make sure to clear the password field before saving.

These were the issues we had. Once resolved everything worked correctly.

Eric Bello · ‎01-03-2022

Thanks Mark for this article, very helpful and detailed.

My issue with this setup is that the same account (the one running the MID server service) will be local admin of all servers. Am I correct? Therefore if this gMSA account ever gets compromised, this means a lot of servers will be compromised too. I know gMSA is much more secure and hard to break (low probability) but since impact could be high (a lot of servers), it's still a sensible risk.

Say that I want to make smaller pockets of servers in order to limit the impact.

Is my only option to stack up multiple MID servers, running distinct accounts (and covering different IP ranges)?

Or is it possible to use gMSA accounts in the credentials table for the ServiceNow Discovery (distinct from the MID server account)?

Mark Radonic · ‎01-03-2022

Hello Eric,

Thanks for your comment.

Regarding your question, the fact that the GMSA account needs local admin rights on servers is because Discovery needs high privileges

Using a GMSA account in the credentials table (or outside of the MID server service account option) is not possible for the current release of ServiceNow as the GMSA password is rotating and we would need to change it manually at the same frequency

There is an option today to use en "external credential store" in the credential table but it has not been adapted to GMSA. This framework is used to connect to Vault systems like Cyberark or Hashicorp Vault with java protocol. Maybe this framework could be adapted to GMSA in the future.

To answer your security constraints, I assume having multiple Mid Servers is the only way for now to spread the risk between multiple GMSA accounts and server groups

You could also configure your GMSA account to work with JEA settings that would improve your security posture:

https://docs.servicenow.com/bundle/rome-it-operations-management/page/product/discovery/concept/microsoft-jea-discovery.html

Mark

Eric Bello · ‎01-03-2022

Thanks Mark for confirming.

So if I multiply MID servers with distinct account / IP ranges, do I also need to create distinct "GMSA Groups" in AD? Or is it ok to put all of gMSA accounts in 1 single GMSA Group?

Mark Radonic · ‎01-03-2022

I haven't tested this configuration but it should work if it is supported by Microsoft.

acoppola · ‎10-04-2022

Thank you for this article.
There's something I don't understand. Why do all the target servers (the servers we want to discover) need to be member of the gMSA security group (see the GMSA Implementation schema above) ?
All the members of this group (named GMSAGroup in our example) are allowed to retrieve the password of the gMSA --> are allowed to use this gMSA.
This implies that any local admin of one of these target servers is able to use the gMSA to run any scheduled task (for example) as local admin on all the target servers !
IMO, only the MID server need to retrieve the password of the gMSA as it uses it to run ITOM. It can then access to all other target servers because the gMSA is local admin of all the target servers, whatever these servers know the password of the gMSA or not (--> whatever these target servers are member or not of GMSAGroup).

Edit 05/08/2023
We now use ITOM with a gMSA and I confirm that - contrary to what is stated in this documentation - only the MID server should be part of "GMSAGroup". All "Discovered Windows Servers" must not be member of this group, they just need to have "gmsa-03" as local admin.

dick linschoten · ‎05-05-2023

@Mark Radonic and others,
interesting article with lots of tips. how ever one additional question.
I'm installing the midserver using the msi wizard I need to specify the service account.
This should here be the gmsa service account right. As i read in the documentation it states:

"Group Managed Service Accounts (gMSA) that inherit the log on as service policy from their groups are not displayed in the drop-down. However, you can install the MID Server service using those accounts by manually entering the service account name in the editable drop-down"

however when entering the gmsa account like DOMAIN\gmsa$ and verify the account it states that its not a valid service account.
I've valided that the account has logon as a service. log on as a batch job.
am I missing a setting here?

pratik0306 · ‎12-14-2023

@acoppola but still the local admin point will come in play, right? is there any option to not have local admin privilege and still discover it?-- one option i thought was via ACC agents or SCCM service graph connector to pull all windows based systems.

acoppola · ‎12-18-2023

@pratik0306
Indeed, if you need to query Servers directly, the gMSA needs to be local admin of all the servers.
In our environment, we retrieve some info from SCCM, other from VMware but also some directly from the servers. Unfortunately, I don't know exactly which info comes from where (I manage servers' access, not ServiceNow in my company) but, depending on which info you need, maybe that you could use only SCCM and/or VMware connector(s).

ondrej_kieler · ‎02-26-2024

Hello @Mark Radonic ,

Thanks for the article. It very well describes what one of my customer currently needs. They use discovery tool from different vendor in a way that they run multiple discovery services on one Windows host under multiple gmsa accounts. Requirement is that they need to scan different environments running in the same domain using different gmsa accounts. Lets say:

1) dev - scanned by user domain\dev$

2) test - scanned by user domain\test$

3) prod - scanned by user domain\prod$

Is it possible and also good idea to deploy only one Windows server (in order to do not have to maintain 3 Windows servers) and install three instances of MID servers on it? Each running under different gmsa account. I know that current solution works without issues but I have never tried it with ServiceNow discovery. Is it possible to do this and what would be pros and cons of this approach?

Thanks a lot,

Ondrej Kieler