Hello and, again, welcome to the Aperture Science computer-aided enrichment center.
We hope your brief detention in the relaxation vault has been a pleasant one.
— GLaDOS
Managed Service Accounts (MSA) appeared first in the Windows Server 2008 R2 and received major overhaul (gMSA) in the Windows Server 2012. Those accounts have automatically managed passwords and tied to specific computer (WS 2008 R2) or group of computers (WS 2012). They cannot be locked out, and cannot perform interactive logons, which makes them ideal for running services. Under the hood MSA are the user accounts that inherit from a parent object class of “Computer” and the only supported way to manage them is the PowerShell.
To do so, you have to use cmdlets in the Active Directory module. This is two-step process: first, you create gMSA in the AD and then “install” this account on the target computer(s).
Here is the cmdlets used for the AD part of the process:
And here is the ones used to manage gMSA on the target computers:
When life gives you lemons, don’t make lemonade. Make life take the lemons back!
Get mad! I don’t want your damn lemons, what the hell am I supposed to do with these?
Demand to see life’s manager! Make life rue the day it thought it could give Cave Johnson lemons!
— Cave Johnson
While I don’t often create gMSAs in the AD, I do need to be able to install them en-masse on a servers, preferably via remote PowerShell session. And here comes the pain.
For starters, Active Directory module is not installed by default, unless the server is a domain controller. While this is easily solved by running
Import-Module ServerManager Add-WindowsFeature RSAT-AD-PowerShell
You still have to do it for every machine you’re trying to use gMSA on. Even with automation, this is another thing to bear in mind.
But this is only minor issue, comparing to what comes next. This is what you get when you try to import Active Directory module in the remote session on a machine where you need to install gMSA:
Import-Module ActiveDirectory WARNING: Error initializing default drive: 'Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.'.
This is the classic double hop issue, which can be fixed using several methods, some of them better than the others. Here is the most used ones:
Pass fresh credentials inside the Invoke-Command scriptblock
Pros: It works.
Cons: Makes unattended automation ungainly.
Configure CredSSP
Pros: This is the most used and well-documented approach.
Cons: Has security issues.
When using CredSSP, PowerShell will perform a “Network Clear-text Logon” instead of a “Network Logon”. Network Clear-text Logon works by sending the user’s clear-text password to the remote server
I definitely do not want to send plaintext passwords over network, even if the channel itself is encrypted. Because guess what? When it arrives at the destination server, it will be stored in memory in the plain sight. So if the target server is compromised, attacker can grab my domain admin credentials using Mimikatz with no effort at all. And even if you’re extra careful, and use non-privileged account for remoting, it’s still a valid AD account.
Use Resource-Based Kerberos Constrained Delegation
With Windows server 2012, Microsoft made improvements to the Kerberos delegation mechanism, which means that with some simple configuration, you can use solve double-hop issues in easy and secure manner: PowerShell Remoting Kerberos Double Hop Solved Securely.
Pros: Works, has no security issues.
Cons: Requires Windows Server 2012 and above for most servers involved.
Do you know who I am? I’m the man who’s gonna burn your house down! With the lemons!
I’m gonna get my engineers to invent a combustible lemon that burns your house down!
— Cave Johnson
All of my servers are Windows Server 2012 R2 and have resource-based Kerberos constrained delegation configured. This is what I use daily for my remoting tasks. Unfortunately I couldn’t make Active directory module work in the PSRemoting with it. No matter what I’ve tried, I still got the error message from above. So with this module, it’s CredSSP or nothing.
I’m OK with occasionally logging on the DC via RDP to create gMSAs, but repeating the same steps over and over for the every server where gMSA has to be installed? Hell no!
So the question is: do we really need the Active Directory module to install gMSAs on the target server? I did some digging and found that Active Directory module is using a set of the Win32 API functions to manage gMSA’s locally:
- NetAddServiceAccount
- NetEnumerateServiceAccounts
- NetIsServiceAccount
- NetQueryServiceAccount
- NetRemoveServiceAccount
After that is was fairly easy to write my own implementation of the cmdlets that are used to install gMSA locally. For the sake of simplicity, I’ve decided to not create a full-blown module and instead made a self-contained function which even can be copy-pasted into the remote session. It doesn’t use the Active Directory module and works fine with resource-based Kerberos constrained delegation. You can grab it from my GitHub repo:
Here is the quick breakdown of original Active Directory gMSA cmdlets and their Use-ServiceAccount counterparts:
'GMSA_Acount' | Use-ServiceAccount -Add
This will install Group Managed Service Account with SAM account name
GMSA_Accounton the computer on which the cmdlet is run.
'GMSA_Acount' | Use-ServiceAccount -Query
Used to query the status of the service account from the local computer. Using
-Detailedswitch you can even get MSA_INFO_STATE enumeration containing detailed information on (g)MSA state:
'GMSA_Acount' | Use-ServiceAccount -Query -Detailed
'GMSA_Acount' | Use-ServiceAccount -Remove
Removes gMSA from the local computer or standalone managed service account (sMSA) from Active Directory. If local computer is disconnected from the domain, you can remove service account object and the stored in the LSA using
-ForceRemoveLocalswitch:
'GMSA_Acount' | Use-ServiceAccount -Remove -ForceRemoveLocal
As a bonus, you can also test whether the specified standalone managed service account (sMSA) or group managed service account (gMSA) exists in the Netlogon store on the this server. This action has no Active Directory module counterpart:
'GMSA_Acount' | Use-ServiceAccount -Test
Thank you for participating in this Aperture Science computer-aided enrichment activity.
— GLaDOS
Debugging this issue and writing Use-ServiceAccount function was fun, but I’d really like to avoid this altogether. If any of you managed to get Active Directory module working with resource-based Kerberos constrained delegation — don’t hesitate to let me know! And be sure drop a comment or create an issue on the GitHub if something doesn’t work for you.
IT magician with a knack for automation 
Hi, thanks for your great post. Just wondering if you could use Powershell Implicit Remoting for this..
LikeLike
Hi, thank’s for reminding me about this! I’ll check and update my post accordingly.
LikeLike
I did a quick test, exporting “Active Directory” module according to this article: Windows PowerShell: Implicit Remoting.
It works fine in the terminal session, but exported module is failing in the remote session with this error:
So I guess, that it can’t be used, unless I’ve missed something obvious.
LikeLike
Ok thanks for trying..maybe it doesn’t work or maybe one of following links can help:
http://www.gsx.com/blog/bid/86453/how-to-resolve-a-powershell-kerberos-issue
http://community.idera.com/powershell/powertips/b/tips/posts/using-powershell-remoting-with-pin-enabled-accounts
LikeLike
Hi,
I have 2012 R2 Domain controller. I’ve deployed successfully group managed service accounts for my current purposes. However, now I would like to run a powershell script that sends email notification to users when their password is going to expire. This involves two servers; 2012 R2 DC and 2008 R2 (Exchange 2010). Every time I’m trying to run this script with my GMSA credentials, I’ll get following errors:
On 2012 R2 (task scheduler): Error value 2147943726
On 2008 R2 (Exchange): Two Audit failures. Event ID 6273 and Event ID 4625.
Is this because 2008 R2 can’t recognize group managed service account?
LikeLiked by 1 person
Well, 2008 R2 doesn’t support Group Managed Accounts, only Managed Accounts that are tied to specific computer. So that’s the culprit, probably. I’m not sure why script fails on 2012 R2, but here are some gotchas:
Personally, I’ve tried to use gMSA with Task Scheduler more than once and sadly found that it’s not worth the hassle.
LikeLike
Thank you. I’ll have a look at those links you provided. I managed to get gMSA work (scheduled task, data transfer), but that was with two 2012 R2 servers. Well, will see how this goes. If it’s not going to work, I’ll just use old school method.
LikeLike
I have configured a scheduled task with gmsa in a web server. It calls a .exe file which connects to DB server and an external web application. With gmsa the error is showing unable to obtain a token. On checking the logs in DB server it is showing “Unable to connect to remote server” proabably the web application. with normal account the scheduled job works fine. can you please assist what could be the issue?
LikeLike
Could be an auth issue. gMSAs are assigned to a single computer, so when accessing resources over the network, the computer account context will be used.
LikeLike
Hello – thank you for the detail post. I tried to use this for installing gMSA account on a remote computer and I receive this error message:
Use-ServiceAccount : The NtCreateFile API failed. This error should never be returned to an application, it is a place holder for the Windows Lan Manager Redirector to use in its internal error mapping routines.
I receive this error message when running this using either Invoke-Command or Enter-PSSession
If I log on to the servers and run this directly from a console it works. I tried to search for error but haven’t gotten good clues yet. I’m running Windows Server 2019. Any advice would help. Thanks.
LikeLike
What kind of authentication did you use for
Invoke-Command/Enter-PSSession? Could be a double hop issue – try passing-Credential (Get-Credential)to those cmdlets. Or maybe you’re logging in as a local account in which caseLocalAccountTokenFilterPolicymay come in play:LikeLike
Hello,
Thank you for the great article! Can you share more details what you choosed for the resource-based Kerberos constrained delegation to work?
First you select on the computer account that is trusted for delegation the option “Trust this computer for delegation to specific services only”.
Then Use kerberos only but when you choose add… you add there the remote computer that the powershell script will connect to install the service account(gmsa)? And what service you selected from the list since winrm is not showing maybe wsman?
Thank you
LikeLike
You’re welcome!
To be honest, this was a long time ago and I tend to do much less AD-related stuff now, so I’m a bit hazy on details. I think that I actually didn’t use the UI and gone with the PowerShell commands, e.g.:
More details on this method: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop#resource-based-kerberos-constrained-delegation
LikeLike