Configure Group Managed Service Account (gMSA) for polling AppInsight Applications and Components

SolarWinds Observability Self-Hosted and SolarWinds Server & Application Monitor (SAM) supports the use of Group Managed Service Accounts (gMSA) to enhance security and simplify credential management for monitoring services.

Supported entities

AppInsight Applications

• AppInsight for IIS
• AppInsight for Active Directory
• AppInsight for SQL

Component types

• Custom Performance Counter Monitor
• Custom PowerShell Monitor
• Custom WMI Monitor
• HTTP Monitor
• LDAP Monitor
• Log Parsing Monitor
• Performance Counter Monitor
• Process Monitor - Windows
• SQL Table Monitor
• Windows Event Log Monitoring
• Windows Service Monitor

Configure gMSA for AppInsight applications and components

Configure AD environment with Kerberos

See Configure Kerberos for WMI/WinRM authentication in the SolarWinds Platform.

Configure the SAM module to use Kerberos

1. Open the File Explorer and go to the Orion Installation Folder.

2. Open the <OrionFolder>\SolarWinds.APM.Probes.dll.config and <OrionFolder>\Web\bin\SolarWinds.APM.Probes.dll.config file.

   Default location: C:\Program Files\SolarWinds\Orion

3. Change in both files WMIAuthenticationMode property in both files to KerberosStrict/KerberosPreferred/Default.

4. Restart SolarWinds Platform services.

Configure SAM Applications to use Kerberos:

Some applications have the Authentication method in Settings to make Kerberos work. Select the Kerberos option at the dropdown

Create group Managed Service Accounts

Requirements

• Forest schema is Windows Server 2012 or later

• KDS root key for Active Directory deployed

• At least one Windows Server 2012 or later domain controller in the domain where you want to create a gMSA

  For details, see Create the Key Distribution Services KDS Root Key | Microsoft Learn in Microsoft documentation.

• Membership in Domain Admins or the ability to create msDS-GroupManagedServiceAccount objects

To create a gMSA using PowerShell, follow these steps:

1. On the domain controller, run Windows PowerShell.

2. At the command prompt for the Windows PowerShell, type the following commands, and then press ENTER. (The Active Directory module loads automatically.)

    New-ADServiceAccount [-Name] <string> -DNSHostName <string> [-KerberosEncryptionType <ADKerberosEncryptionType>] [-ManagedPasswordIntervalInDays <Nullable[Int32]>] [-PrincipalsAllowedToRetrieveManagedPassword <ADPrincipal[]>] [-SamAccountName <string>] [-ServicePrincipalNames <string[]>] 

Example of the command:

New-ADServiceAccount -Name "MyGMSAtest$" -DNSHostName "testRoot.local" -PrincipalsAllowedToRetrieveManagedPassword @("PCName1$", "PCName2$") -KerberosEncryptionType AES128,AES256,RC4

For details, see Create Group Managed Service Accounts in Microsoft documentation.

Configure Kerberos delegation

To make gMSA identity work with a service, enable the delegation of credentials for the service. Configure each controller and computer on the domain controller to trust this computer for delegation to specified services only (Use Kerberos Only). See Configuring Kerberos delegation for group Managed Service Accounts in Microsoft documentation.

Step 6: Configure Log On Permission

To allow the gMSA account to authenticate and run services properly, add the gMSA accounts to the following policies on domain controllers and monitored computers.

• Add the gMSA account (domain\MyGMSAtest$) to the Allow log on locally policy. See Enable service log on through a local policy group in Microsoft documentation.

• Add the gMSA account (domain\SolarWindsSAMgMSA$) to the Log on as a service policy. See Provide Log on as a service right in Microsoft documentation.

Target Machine Configuration

To configure permissions to access WMI-related namespaces, run the following script:

Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI -Force
 # Add the gMSA to a group with CIM permissions
 $GMSA = "<domain>\<username>$"
 $Group = "Administrators"
 Add-LocalGroupMember -Group $Group -Member $GMSA

Set-PSSessionConfiguration -Name Microsoft.PowerShell -ShowSecurityDescriptorUI -Force

Domain Machine Configuration

To connect thedomain controller using gMSA, assign gMSA user to domain-level group. Run the following script.

$GMSA = "MyGMSAtest$"
$Group = "Administrators" # Domain Administrators Group
Add-ADGroupMember -Identity $Group -Members $GMSA

Configure AppInsight for SQL with gMSA

To configure AppInsight for SQL with gMSA, follow these steps:

1. Add the gMSA user to SQL Server Management Studio (SSMS) with proper privileges (db_owner right).

2. Use the default SQL Server port (1433) for connectivity.

3. Install Microsoft Kerberos Configuration Manager on the domain controller for SPN configuration.

   Use the hostname to connect.

   If errors occur, you can manually setup SPN using one of the following options:

   • MSSQLSvc/<hostname>:1433
   • MSSQLSvc/<hostname>
   • MSSQLSvc/<hostname>.<domain name>:1433
   • MSSQLSvc/<hostname>.<domain name>

   Example: MSSQLSvc/AUS-OOO-56445.testRoot.local:1433

4. Ensure that our SQL Server instance is running. See Determine Whether the Database Engine is Installed and Started in Microsoft documentation.

5. Set your gMSA account as the Log On account in the SQL Server Configuration Manager. See Change the SQL Server service startup account in Microsoft documentation.

6. Enable TCP/IP for SQL Server in the SQL Server Configuration Manager. See Use SQL Server Configuration Manager in Microsoft documentation.

7. Match the Connection String to the SPN: Verify that your Service Principal Name (SPN) matches the connection string.