Hello All !!
Microsoft Identity Manager has had numerous support, enhancements, and bug fixes over the past year such as adding support for SQL AlwaysOn, SQL on IaaS, and System Center 2016, the ability to create new custom objects that act like groups, and operational items like quickly enabling verbose tracing without service restart.
Today, Microsoft announced another enhancement and hotfix that improves your security by reducing the number of service account passwords your organization has to manage.
- Support Blog: https://blogs.technet.microsoft.com/iamsupport/2018/07/16/support-release-mim2016-microsoft-identity-manager-2016-sp1-hotfix-4-5-26-0-released
- Microsoft KB Article: https://support.microsoft.com/en-us/help/4073679
- Version History : https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/version-history
- Download: https://www.microsoft.com/en-us/download/details.aspx?id=57078
That’s right, Group Managed Service Accounts (gMSA) is now supported in the Microsoft Identity Manager core components and provides automatic password management for those service accounts! For people not familiar with gMSA, the passwords are 240 bytes of cryptographic random goodness and changed automatically (by default every 30 days). The following components now support Group Managed Service Accounts.
- Service and Portal
- Privileged Access Management (PAM)
- Synchronization Service
The SharePoint application pool, Certificate Management, and BHold are excluded from gMSA support.
The purpose of this post is to walk through converting your existing MIM deployment to utilize gMSA for the components listed above.
Environment setup and configuration
- Domain Controller: privdc.priv.contoso.com
- PAM Server: pamsrv.priv.contoso.com
- MIM Service & Portal: http://pamsrv.priv.contoso.com/IdentityManagement/
- PAM API: http://pamsrv.priv.contoso.com:8086/
- PAM Open Source Portal: http://pamsrv.priv.contoso.com:8000/
- PAM Accounts: https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/step-2-prepare-priv-domain-controller
Enabling gMSA within your Domain
Step #1: Create the KDS Root Key (required only once per domain) and is used by the KDS service on DCs to generate passwords:
Add-KDSRootKey -EffectiveTime ((get-date).addhours(-10))
This step is a workaround to the built-in measure that makes us wait 10 hours (by default) for DCs to replicate and respond to gMSA requests.
Step #2: Apply the latest hotfix (April 2018) to your existing Microsoft Identity Manager 2016 SP1 environment.
Privileged Access Management & MIM Service
Step #1: Create a security group
Create a security group and add the PAM server object as a member to the group. In this example, we create the group MIMService_Servers and have added the PAMSRV computer object as a member.
Step #2: Create and configure MIM Service gMSA Account. Note: The gMSA sAMAccountName must not be longer than 15 characters.
New-ADServiceAccount -name MIMsrvGMSAsvc -DNSHostName MIMsrvGMSAsvc.contoso.com -PrincipalsAllowedToRetrieveManagedPassword "MIMService_Servers"
Set-ADServiceAccount MIMsrvGMSAsvc -PrincipalsAllowedToRetrieveManagedPassword MIMService_Servers
Step #3: Run Change Mode to configure Service and Portal for gMSA
In this step, you will need to decide whether to use an Office 365 account for approvals and workflows or on-premise Exchange account. In effect, is the mailbox for the FIMService account hosted in Exchange Online, or in on-prem Exchange. If the mailbox is hosted in Exchange Online, then a separate service account must be created to enable gMSA for the MIM Service. gMSA doesn’t support the ability to have a mailbox so we need to identify this account for setup. It can be the same account previously running as the service
Step #4: Create and configure MIM Service gMSA account
Create the managed service account for the PAM REST API and the Component and Monitoring Service
Step #5: PAM API: Create and configure MIM Service gMSA Account
For the final step we run the Service and Portal install under change mode. Change mode updates the following PAM services:
- PAM API Service
- PAM Component Services
- PAM Monitoring Service
- PAM Custom Portal
Known Issues:
Issue #1: Kerberos Failing on Service and Portals or PAM API
In the configuration to move to gMSA you will need to update your delegation to do this we will use the Set-ADAccountControl
Issue #2: PAM Request workflow failing with activity with “insufficient access rights”
To resolve we need to update the permission on the Shadow Principal Container
Synchronization Service
Environment setup and configuration
- Domain Controller: mimdc.contoso.com
- Synchronization Server: mimsync.scontoso.com
Step #1 Enable gMSA on domain
Refer to Enabling gMSA within your Domain within this article
Step #2 Export a copy of the miiskeys.bin file. Details to do this can be found at https://technet.microsoft.com/en-us/library/jj590361(v=ws.10).aspx
Step #3 Apply patch
Step #4 Run change mode on the Synchronization Service
References:
-
- Group Managed Service Accounts Overview: https://technet.microsoft.com/en-us/library/hh831782
- Getting Started with Group Managed Service Accounts: https://technet.microsoft.com/en-us/library/jj128431
- Windows Server 2012: Group Managed Service Accounts: https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/
- Install and Configure a Group Managed Service Account with PowerShell: https://blogs.technet.microsoft.com/pstips/2017/08/24/install-and-configure-group-managed-service-account/
- Windows Server 2012: Group Managed Service Accounts: https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/