Group Managed Service Account gMSA
362 views
Skip to first unread message
Rob Winningham
Jul 25, 2016, 1:56:02 PM7/25/16
to Particular Software
Helpful information to include
Product name: NServiceBus
Version: latest
Stacktrace: none
Description: I want the Windows Service that NServiceBus.Host.exe creates to be executed as a Group Managed Service Account. In Windows Server 2012, you can create a special account in Active Directory called a Group Managed Service Account (gMSA). You can use this account to host Windows Services, IIS App Pools, Scheduled Tasks, and more. The advantage of using a gMSA is that you don't have to know the password. In fact, no one knows the password. When an administrator of a server creates a Windows Service using services.msc, he (or she) can click on the login tab, type the gMSA's UPN and leave the password blank. The server (if it is permitted to do so) will retrieve the managed password from Active Directory. The password is automatically changed and refreshed on a scheduled basis.
We run as many services as we can using gMSA's.
You can read more about gMSA's here: https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/
My question is, how can I run Windows Services using NServiceBus.Host.exe using a gMSA?
I've tried the following::
NServiceBus.Host.exe -install -serviceName="MyExample" -displayName="Example" -description="Example" -username="CORP\mygmsa$" -password="password"
Unhandled Exception: System.InvalidOperationException: The installation failed, and the rollback has been performed. ---> System.ComponentModel.Win32Exception: The account name is invalid or does not exist, or the password is invalid for the account name specified
NServiceBus.Host.exe -install -serviceName="MyExample" -displayName="Example" -description="Example" -username="CORP\mygmsa$" -password=""
Unhandled Exception: System.InvalidOperationException: The installation failed, and the rollback has been performed. ---> System.ComponentModel.Win32Exception: The account name is invalid or does not exist, or the password is invalid for the account name specified
NServiceBus.Host.exe -install -serviceName="MyExample" -displayName="Example" -description="Example" -username="CORP\mygmsa$"
Successful installation, but the Windows Service is running under "Local System" not the gMSA.
Sean Farmar
Aug 3, 2016, 10:21:01 AM8/3/16
to Particular Software
We have opened a support case for this.
I'll update here once we have a result
Sean Farmar
Aug 4, 2016, 7:04:24 AM8/4/16
to Particular Software
I've checked and here are my findings:
NServiceBus Host does not support GSMA accounts as part of the service installation.
The service would need to be installed using a standard account like localsystem and then switched to a GSMA account after installation through services.msc
Obviously any queue permissions etc would have to be manually added.
I've opened a feature request against the NSB Host and ServiceControl installation to support GMSA accounts.
Reply all
Reply to author
Forward
0 new messages