Use gMSA accounts for Windows polling

When you poll nodes using WinRM with Kerberos authentication, you can use group managed service accounts (gMSAs).

Use the following links to configure your environment:

• Configure Kerberos for WMI/WinRM authentication in the SolarWinds Platform

• Configure WinRM polling

• Group Managed Service Accounts Overview in Microsoft documentation for details about gMSA's

Requirements

• You can only use gMSA accounts for polling via WinRM with Kerberos authentication.

• gMSA credentials in form <username>$@<domain> or <domain>\<username>$

  The domain name must be in the FQDN format.

Supported features

gMSA is supported for the following features:

• All generic regular WinRM polling of nodes, volumes, interfaces

• Asset inventory (SCM)

• IP address polling (IPAM)

• SRM polling

• SAM application polling, except for the Real-Time Explorer, Service Control Manager, and Real-Time Event Viewer. See Configure Group Managed Service Account (gMSA) for polling AppInsight Applications and Components.

Unsupported features

Support for the following features may be added in a future version. If you are using them, please use regular, non-gMSA credentials for polling the devices.

• Agent remote deployment

• DPI (QoE) probe deployment

• Exchange (SAM) - Microsoft does not support gMSA with Exchange Server

• Real-time polling for nodes, interfaces, or volumes

• Real-Time explorer, Service Control Manager, Real-Time Event Log Viewer (SAM)

• User device tracking

• VMAN polling (HyperV)

• Windows Schedule Task Monitoring (SAM)

• WPM player remote deployment

Configure gMSA deployment

You need to configure your gMSA first, for example, you need to create a special service account, configure DNS (reverse and forward), and configure Kerberos delegation.

For details, see Get started with Group Managed Service Accounts in Microsoft documentation.

Configure gMSA in the SolarWinds Platform

Create gMSA credentials

1. Click Settings > All Settings > Manage Windows Credentials.

2. Click Add Windows Credential.

3. Provide a name for the credentials set.

4. Provide the username.

5. Select the GMSA Account box. Use one of the following formatting options:

   • <username>$@<domain>

   • <domain>\<username>$

     The domain name must be in the FQDN format.

6. Provide the password and re-type it for confirmation.

7. Save the settings.

   The new credentials set is saved and you can find it in the drop-down when adding or editing a node.

Configure polling settings for gMSA globally

1. Click Settings > All Settings > Polling Settings.

2. Scroll down to Windows Connection, and select WinRMOnly in the Connection mode box.

3. Submit your changes.

Windows nodes are now polled only using WinRM. See Set up global settings for polling nodes using WMI/WinRM.

Configure polling settings for gMSA for individual nodes

1. Click Settings > Manage nodes.

2. Select the node you want to configure gMSA for and click Edit Properties.

3. Scroll down to Windows Connection Settings and select WinRMOnly.

4. In WinRM settings, select Kerberos as the Authentication Mechanism.

5. Save your changes.

The node will now be polled only via WinRM with Kerberos authentication. You can configure using gMSA credentials for polling the node.

Configure polling nodes using gMSA accounts

You need to have gMSA accounts set up and gMSA configured in the SolarWinds Platform.

1. When adding or editing a node, scroll down to the Polling Settings area.

2. Select Windows Servers: WMI/WinRM and ICMP.

3. Select credentials for a gMSA account.

4. Select the gMSA box.

   You can select the box only if the selected credential set is a gMSA account and it is entered in a correct format.

5. Save your changes.

   • If you are editing properties of an already monitored node, save your changes.

   • If you are adding a new node, complete the wizard.