Install and Configure a Group Managed Service Account with Microsoft Identity Manager 2016 SP1 with Hotfix

Hello All !!

Microsoft Identity Manager has had numerous support, enhancements, and bug fixes over the past year such as adding support for SQL AlwaysOn, SQL on IaaS, and System Center 2016, the ability to create new custom objects that act like groups, and operational items like quickly enabling verbose tracing without service restart.

Today, Microsoft announced another enhancement and hotfix that improves your security by reducing the number of service account passwords your organization has to manage.

That’s right, Group Managed Service Accounts (gMSA) is now supported in the Microsoft Identity Manager core components and provides automatic password management for those service accounts!  For people not familiar with gMSA, the passwords are 240 bytes of cryptographic random goodness and changed automatically (by default every 30 days).  The following components now support Group Managed Service Accounts.

  • Service and Portal
  • Privileged Access Management (PAM)
  • Synchronization Service

The SharePoint application pool, Certificate Management, and BHold are excluded from gMSA support.

The purpose of this post is to walk through converting your existing MIM deployment to utilize gMSA for the components listed above.

Environment setup and configuration

Enabling gMSA within your Domain

Step #1: Create the KDS Root Key (required only once per domain) and is used by the KDS service on DCs to generate passwords:

Add-KDSRootKey -EffectiveTime ((get-date).addhours(-10))

This step is a workaround to the built-in measure that makes us wait 10 hours (by default) for DCs to replicate and respond to gMSA requests.

Step #2: Apply the latest hotfix (April 2018) to your existing Microsoft Identity Manager 2016 SP1 environment.

Privileged Access Management & MIM Service

Step #1: Create a security group 

Create a security group and add the PAM server object as a member to the group.  In this example, we create the group MIMService_Servers and have added the PAMSRV computer object as a member.

Step #2: Create and configure MIM Service gMSA Account. Note: The gMSA sAMAccountName must not be longer than 15 characters.

New-ADServiceAccount -name MIMsrvGMSAsvc -DNSHostName -PrincipalsAllowedToRetrieveManagedPassword "MIMService_Servers"
Set-ADServiceAccount MIMsrvGMSAsvc -PrincipalsAllowedToRetrieveManagedPassword MIMService_Servers

Step #3: 
Run Change Mode to configure Service and Portal for gMSA

In this step, you will need to decide whether to use an Office 365 account for approvals and workflows or on-premise Exchange account.  In effect, is the mailbox for the FIMService account hosted in Exchange Online, or in on-prem Exchange.  If the mailbox is hosted in Exchange Online, then a separate service account must be created to enable gMSA for the MIM Service.  gMSA doesn’t support the ability to have a mailbox so we need to identify this account for setup.  It can be the same account previously running as the service

Step #4:
Create and configure MIM Service gMSA account

Create the managed service account for the PAM REST API and the Component and Monitoring Service

Step #5:
PAM API: Create and configure MIM Service gMSA Account

For the final step we run the Service and Portal install under change mode.  Change mode updates the following PAM services:

  • PAM API Service
  • PAM Component Services
  • PAM Monitoring Service
  • PAM Custom Portal



Known Issues: 

Issue #1: Kerberos Failing on Service and Portals or PAM API

In the configuration to move to gMSA you will need to update your delegation to do this we will use the Set-ADAccountControl


Issue #2: PAM Request workflow failing with activity with “insufficient access rights”


To resolve we need to update the permission on the Shadow Principal Container 


Synchronization Service

Environment setup and configuration

  • Domain Controller:
  • Synchronization Server:

Step #1 Enable gMSA on domain

Refer to Enabling gMSA within your Domain within this article

Step #2 Export a copy of the miiskeys.bin file.  Details to do this can be found at

Step #3 Apply patch

Step #4 Run change mode on the Synchronization Service



David Steadman has written 40 articles

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>