Install and Configure a Group Managed Service Account with Microsoft Identity Manager 2016 SP1 with Hotfix 4.5.26.0

Hello All !!

Microsoft Identity Manager has had numerous support, enhancements, and bug fixes over the past year such as adding support for SQL AlwaysOn, SQL on IaaS, and System Center 2016, the ability to create new custom objects that act like groups, and operational items like quickly enabling verbose tracing without service restart.

Today, Microsoft announced another enhancement and hotfix that improves your security by reducing the number of service account passwords your organization has to manage.

Support Blog: https://blogs.technet.microsoft.com/iamsupport/2018/07/16/support-release-mim2016-microsoft-identity-manager-2016-sp1-hotfix-4-5-26-0-released
Microsoft KB Article: https://support.microsoft.com/en-us/help/4073679
Version History : https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/version-history
Download: https://www.microsoft.com/en-us/download/details.aspx?id=57078

That’s right, Group Managed Service Accounts (gMSA) is now supported in the Microsoft Identity Manager core components and provides automatic password management for those service accounts! For people not familiar with gMSA, the passwords are 240 bytes of cryptographic random goodness and changed automatically (by default every 30 days). The following components now support Group Managed Service Accounts.

Service and Portal
Privileged Access Management (PAM)
Synchronization Service

The SharePoint application pool, Certificate Management, and BHold are excluded from gMSA support.

The purpose of this post is to walk through converting your existing MIM deployment to utilize gMSA for the components listed above.

Environment setup and configuration

Domain Controller: privdc.priv.contoso.com
PAM Server: pamsrv.priv.contoso.com
- MIM Service & Portal: http://pamsrv.priv.contoso.com/IdentityManagement/
- PAM API: http://pamsrv.priv.contoso.com:8086/
- PAM Open Source Portal: http://pamsrv.priv.contoso.com:8000/
PAM Accounts: https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/step-2-prepare-priv-domain-controller

Enabling gMSA within your Domain

Step #1: Create the KDS Root Key (required only once per domain) and is used by the KDS service on DCs to generate passwords:

Add-KDSRootKey -EffectiveTime ((get-date).addhours(-10))

This step is a workaround to the built-in measure that makes us wait 10 hours (by default) for DCs to replicate and respond to gMSA requests.

Step #2: Apply the latest hotfix (April 2018) to your existing Microsoft Identity Manager 2016 SP1 environment.

Privileged Access Management & MIM Service

Step #1: Create a security group

Create a security group and add the PAM server object as a member to the group. In this example, we create the group MIMService_Servers and have added the PAMSRV computer object as a member.

Step #2: Create and configure MIM Service gMSA Account. Note: The gMSA sAMAccountName must not be longer than 15 characters.

New-ADServiceAccount -name MIMsrvGMSAsvc -DNSHostName MIMsrvGMSAsvc.contoso.com -PrincipalsAllowedToRetrieveManagedPassword "MIMService_Servers"
Set-ADServiceAccount MIMsrvGMSAsvc -PrincipalsAllowedToRetrieveManagedPassword MIMService_Servers

Step #3: Run Change Mode to configure Service and Portal for gMSA

In this step, you will need to decide whether to use an Office 365 account for approvals and workflows or on-premise Exchange account. In effect, is the mailbox for the FIMService account hosted in Exchange Online, or in on-prem Exchange. If the mailbox is hosted in Exchange Online, then a separate service account must be created to enable gMSA for the MIM Service. gMSA doesn’t support the ability to have a mailbox so we need to identify this account for setup. It can be the same account previously running as the service