Community forum

Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

2 Pages12>
Options
View
Go to last post Go to first unread
Offline ROBV8R  
#1 Posted : Sunday, May 7, 2017 8:59:55 PM(UTC)
ROBV8R

Rank: Paid support

Joined: 5/4/2017(UTC)
Posts: 8
United States
Location: Fort Worth, TX

Was thanked: 1 time(s) in 1 post(s)
We use Group Managed Service Accounts (gMSA) when we can. They have several advantages over normal User Accounts used as Service Accounts. Primarily, no one knows the password (except the server and the Domain Controllers.) Secondarily, the password is changed at a pseudo-random internal by Active Directory.

It would be nice to use store gMSA's as a credential type in VisualCron.
thanks 1 user thanked ROBV8R for this useful post.
wam on 6/5/2019(UTC)
Offline ROBV8R  
#2 Posted : Monday, June 12, 2017 10:59:18 PM(UTC)
ROBV8R

Rank: Paid support

Joined: 5/4/2017(UTC)
Posts: 8
United States
Location: Fort Worth, TX

Was thanked: 1 time(s) in 1 post(s)
No one has replied. Has anyone had a chance to look at this?
Offline wam  
#3 Posted : Thursday, July 19, 2018 12:50:04 AM(UTC)
wam

Rank: Paid support

Joined: 9/12/2012(UTC)
Posts: 42

Thanks: 2 times
Was thanked: 1 time(s) in 1 post(s)
This is something we're looking for as well.
Thanks.

I tried to set it up hoping it would just work and got exit code 1326 Bad login name or password.
Offline wam  
#4 Posted : Friday, September 7, 2018 12:50:02 AM(UTC)
wam

Rank: Paid support

Joined: 9/12/2012(UTC)
Posts: 42

Thanks: 2 times
Was thanked: 1 time(s) in 1 post(s)
Hi Support,

Any update on this?

This plus the ability to use AD Groups instead of AD Logins would be a HUGE security improvement for us.

VisualCron is literally the last application we use that is considered insecure by our external auditors.
Offline wam  
#5 Posted : Wednesday, October 17, 2018 9:23:09 PM(UTC)
wam

Rank: Paid support

Joined: 9/12/2012(UTC)
Posts: 42

Thanks: 2 times
Was thanked: 1 time(s) in 1 post(s)
Hi Support,

This is still our top feature request...
Offline michael.miller.weiss  
#6 Posted : Friday, December 7, 2018 4:32:33 PM(UTC)
michael.miller.weiss

Rank: Paid support

Joined: 3/6/2017(UTC)
Posts: 6
United States
Location: Boston, MA

Any update from the VC team on if this is being evaluated?
Offline wam  
#7 Posted : Monday, March 18, 2019 6:51:42 PM(UTC)
wam

Rank: Paid support

Joined: 9/12/2012(UTC)
Posts: 42

Thanks: 2 times
Was thanked: 1 time(s) in 1 post(s)
Hi Henrik,

Any update on when you can get to this?
Offline odendoak  
#8 Posted : Friday, April 26, 2019 10:34:33 AM(UTC)
odendoak

Rank: Paid support

Joined: 4/25/2019(UTC)
Posts: 1
Denmark
Location: Hovedstaden, Taastrup

We could really use this as well!

Still no update on this!? Confused
The alternative solution is really a drawback on security.
Offline wam  
#9 Posted : Monday, May 6, 2019 4:04:26 PM(UTC)
wam

Rank: Paid support

Joined: 9/12/2012(UTC)
Posts: 42

Thanks: 2 times
Was thanked: 1 time(s) in 1 post(s)
Henrik,

We're still looking for this feature. This is an important "check the box" feature we need to keep using your product. We have 7 pro licenses, and may add more if you can deliver.
Offline Support  
#10 Posted : Thursday, May 9, 2019 12:01:52 PM(UTC)
Support

Rank: Official support

Joined: 2/23/2008(UTC)
Posts: 11,222

Thanks: 874 times
Was thanked: 446 time(s) in 424 post(s)
Just so we understand what you want to do:

1. you want to create a Credential with no password
2. you want VC to fetch the temporary password from AD
3. the username with the temporary password is then used in the Task

Is this correct?
Henrik
Support
http://www.visualcron.com
Please like VisualCron on facebook!
Offline Support  
#11 Posted : Thursday, May 16, 2019 4:12:07 PM(UTC)
Support

Rank: Official support

Joined: 2/23/2008(UTC)
Posts: 11,222

Thanks: 874 times
Was thanked: 446 time(s) in 424 post(s)
Just pinging this again to confirm what you want.
Henrik
Support
http://www.visualcron.com
Please like VisualCron on facebook!
Offline wam  
#12 Posted : Wednesday, June 5, 2019 9:09:52 PM(UTC)
wam

Rank: Paid support

Joined: 9/12/2012(UTC)
Posts: 42

Thanks: 2 times
Was thanked: 1 time(s) in 1 post(s)
Hi Henrik,

Apologies for the delay - I was out on vacation.

We want "Group Managed Service Account". It's a bit different than what you describe. Here is a link to Microsoft documentation: https://docs.microsoft.c...ervice-accounts-overview

Here is a potentially helpful API Call: https://docs.microsoft.c...etserviceaccountpassword

Background Noise
Here is the steps I envision becoming part of your Documentation in VisualCron in order for this to be a complete, functioning feature WITH documentation.

Step 1: Create a new gMSA principal group. We name it <gMsaName>_Principals where <gMsaName> is the name of the group managed service account. (e.g., msaVisualCron_Principals)
Step 2: Add a new Group Managed Service Account in Active Directory (this requires Active Directory schema 2012 or later) - you can do so using the following PowerShell script

Code:

Import-module ActiveDirectory
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10));
New-ADServiceAccount -Name msaVisualCron -DNSHostName visualcronsrv.example.com -PrincipalsAllowedToRetrieveManagedPassword "msaVisualCron_Principals"


Step 3: Install GMSA account on servers which will use it.
Enable-WindowsOptionalFeature -FeatureName ActiveDirectory-Powershell -online -all
Get-ADServiceAccount -Identity msaVisualCron
Install-ADServiceAccount -Identity msaVisualCron
Test-AdServiceAccount -Identity msaVisualCron

Step 4: Test the gMSA works

Simplest way to end-to-end test this in VisualCron on your local development machine is to set-up a SQL Server Developer Edition to run as a group MSA account, and execute a VisualCron SQL Task running as that gMSA. If you use an existing SQL Server instance, make sure you go through SQL Server Configuration Manager to change the Log On As account, and don't do it directly through Local Services. When you do it through Configuration Manager, it will add a dependency to the w32time service to the SQL Server service (the windows time service is required for Kerberos to come up and authenticate, otherwise SQL Server won't start.)

However, perhaps even simpler is creating a simple .NET console app that prints $"Hello World, {Identity}" to standard out, and run that as the gMSA account.

Edited by user Wednesday, June 5, 2019 10:05:45 PM(UTC)  | Reason: Not specified

Offline ROBV8R  
#13 Posted : Thursday, June 6, 2019 5:25:30 AM(UTC)
ROBV8R

Rank: Paid support

Joined: 5/4/2017(UTC)
Posts: 8
United States
Location: Fort Worth, TX

Was thanked: 1 time(s) in 1 post(s)
I'm confused how this solves the original feature request from 2 years ago.

To make sure the requirement is clear:

We need to store Group Managed Service Accounts as a credential type in VisualCron. We want to select that credential from the Credential drop down when executing a task.

Please help me understand how your response addresses the requirement.
Offline wam  
#14 Posted : Thursday, June 6, 2019 8:01:19 PM(UTC)
wam

Rank: Paid support

Joined: 9/12/2012(UTC)
Posts: 42

Thanks: 2 times
Was thanked: 1 time(s) in 1 post(s)
Rob, are you replying to me or Support (Henrik)?

Thanks,
John
Offline Support  
#15 Posted : Friday, June 7, 2019 10:07:17 AM(UTC)
Support

Rank: Official support

Joined: 2/23/2008(UTC)
Posts: 11,222

Thanks: 874 times
Was thanked: 446 time(s) in 424 post(s)
Originally Posted by: ROBV8R Go to Quoted Post
I'm confused how this solves the original feature request from 2 years ago.

To make sure the requirement is clear:

We need to store Group Managed Service Accounts as a credential type in VisualCron. We want to select that credential from the Credential drop down when executing a task.

Please help me understand how your response addresses the requirement.


Yes, what you describe is the way it will look for the customer. But behind the scenes, as we understand how GMSA works is that one-time passwords are used. This means that we need to request that from somewhere, either from AD or maybe through Windows API.

The difference, as we see it, is that the password saved in the Credential is not the password used finally. And that before running any Task we need to fetch the actual, temporary, password from AD server.
Henrik
Support
http://www.visualcron.com
Please like VisualCron on facebook!
Offline wam  
#16 Posted : Friday, June 14, 2019 12:49:21 AM(UTC)
wam

Rank: Paid support

Joined: 9/12/2012(UTC)
Posts: 42

Thanks: 2 times
Was thanked: 1 time(s) in 1 post(s)
Originally Posted by: Support Go to Quoted Post
Originally Posted by: ROBV8R Go to Quoted Post
I'm confused how this solves the original feature request from 2 years ago.

To make sure the requirement is clear:

We need to store Group Managed Service Accounts as a credential type in VisualCron. We want to select that credential from the Credential drop down when executing a task.

Please help me understand how your response addresses the requirement.


Yes, what you describe is the way it will look for the customer. But behind the scenes, as we understand how GMSA works is that one-time passwords are used. This means that we need to request that from somewhere, either from AD or maybe through Windows API.

The difference, as we see it, is that the password saved in the Credential is not the password used finally. And that before running any Task we need to fetch the actual, temporary, password from AD server.


Hi Henrik,

Yes, that sounds about right. Please see this API call and let me know how you make out: https://docs.microsoft.c...etserviceaccountpassword

Also potentially helpful is the DSInternals powershell module: https://github.com/MichaelGrafnetter/DSInternals and his blog post: https://www.dsinternals....s-from-active-directory/

Edited by user Monday, July 22, 2019 10:28:24 PM(UTC)  | Reason: Not specified

Offline wam  
#17 Posted : Monday, July 22, 2019 11:47:40 PM(UTC)
wam

Rank: Paid support

Joined: 9/12/2012(UTC)
Posts: 42

Thanks: 2 times
Was thanked: 1 time(s) in 1 post(s)
Hi Henrik,

Any update here?
Offline Support  
#18 Posted : Tuesday, July 23, 2019 9:19:48 AM(UTC)
Support

Rank: Official support

Joined: 2/23/2008(UTC)
Posts: 11,222

Thanks: 874 times
Was thanked: 446 time(s) in 424 post(s)
Originally Posted by: wam Go to Quoted Post
Hi Henrik,

Any update here?


We are looking at this right now but there is a risk that this is not possible to use gMSA accounts that way. We have done some initial tests in 2012 version of Active Directory and there are auth problems in that version. It might work with 2016 - we are installing that now and will test.
Henrik
Support
http://www.visualcron.com
Please like VisualCron on facebook!
Offline wam  
#19 Posted : Thursday, July 25, 2019 5:37:38 PM(UTC)
wam

Rank: Paid support

Joined: 9/12/2012(UTC)
Posts: 42

Thanks: 2 times
Was thanked: 1 time(s) in 1 post(s)
Group managed service accounts are supported in AD 2012 and work with both services and windows task scheduler as well well as offer support for custom applications thru the win32 APIs. Would you mind sharing what scenario is not supported and why?

Edited by user Thursday, July 25, 2019 5:38:36 PM(UTC)  | Reason: Not specified

Offline Support  
#20 Posted : Thursday, July 25, 2019 6:58:13 PM(UTC)
Support

Rank: Official support

Joined: 2/23/2008(UTC)
Posts: 11,222

Thanks: 874 times
Was thanked: 446 time(s) in 424 post(s)
Originally Posted by: wam Go to Quoted Post
Group managed service accounts are supported in AD 2012 and work with both services and windows task scheduler as well well as offer support for custom applications thru the win32 APIs. Would you mind sharing what scenario is not supported and why?


It is currently not working outside of IIS and Task scheduler. We are not sure how much more resources we can put on this right now as we spent about a week of development time on this alone.
Henrik
Support
http://www.visualcron.com
Please like VisualCron on facebook!
Offline wam  
#21 Posted : Friday, July 26, 2019 9:54:23 PM(UTC)
wam

Rank: Paid support

Joined: 9/12/2012(UTC)
Posts: 42

Thanks: 2 times
Was thanked: 1 time(s) in 1 post(s)
Hi Henrik,
I managed to work thru the C# needed to use Group Managed Service Accounts for impersonation. The instructions for creating the group managed service account and principals is included below. Additionally there are few other steps for testing to emulate the environment the VC service runs under. Please review and let me know if this isn't feasible to integrate:

Code:

using System;
using System.Data.SqlClient;
using System.Runtime.ConstrainedExecution;
using System.Runtime.InteropServices;
using System.Security;
using System.Security.Permissions;
using System.Security.Principal;
using Microsoft.Win32.SafeHandles;

namespace GroupManagedServiceAccounts
{
    class Program
    {
        /*
         1. Create an AD Group msaTest_Principals
         2. Add the computer you wish to run this code on to the AD Group msaTest_Principals
         3. Create an MSA account using PowerShell: New-ADServiceAccount -name msaTest -DNSHostName msaTest.YOURDOMAIN.com -PrincipalsAllowedToRetrieveManagedPassword msaTest_Principals
         4. Reboot the computer from step #2 to install the GMSA
         5. Download PSExec from SysInternals so we can run this application as SYSTEM (the same account that we run VisualCron under)
         6. Compile this application a C# console application (replace YOURDOMAIN with your domain)
         7. Run psexec.exe -s -i cmd.exe to start a new command window running as system
         8. In the new command window run the executable generated from this code
         9. Troubleshoot any error codes using the Windows Security Event Log
         */

        public const int LOGON32_LOGON_SERVICE = 5;
        public const int LOGON32_PROVIDER_DEFAULT = 0;
        public const string NETWORK_LOGIN_PASSWORD = "_SA_{262E99C9-6160-4871-ACEC-4E61736B6F21}"; 

        [PermissionSet(SecurityAction.Demand, Name = "FullTrust")]
        public static void Main(string[] args)
        {
            SafeTokenHandle safeTokenHandle;
            try
            {
                var username = "msaTest$";
                var domain = "YOURDOMAIN";

                // Call LogonUser to obtain a handle to an access token.
                bool returnValue = LogonUser(username, domain, NETWORK_LOGIN_PASSWORD, LOGON32_LOGON_SERVICE, LOGON32_PROVIDER_DEFAULT, out safeTokenHandle);

                Console.WriteLine("LogonUser called.");

                if (false == returnValue)
                {
                    int ret = Marshal.GetLastWin32Error();
                    Console.WriteLine("LogonUser failed with error code : {0}", ret);
                    throw new System.ComponentModel.Win32Exception(ret);
                }

                using (safeTokenHandle)
                {
                    Console.WriteLine("Did LogonUser Succeed? " + (returnValue ? "Yes" : "No"));
                    Console.WriteLine("Value of Windows NT token: " + safeTokenHandle);

                    // Check the identity.
                    Console.WriteLine("Before impersonation: " + WindowsIdentity.GetCurrent().Name);
                    // Use the token handle returned by LogonUser.
                    using (var impersonatedUser = WindowsIdentity.Impersonate(safeTokenHandle.DangerousGetHandle()))
                    {

                        // Check the identity.
                        Console.WriteLine("After impersonation: " + WindowsIdentity.GetCurrent().Name);

                        //Validate the security credential is used for accessing the network/SQL
                        //using (var connection = new SqlConnection("server=(local);integrated security=true;"))
                        //{
                        //    connection.Open();
                        //    using (var cmd = connection.CreateCommand())
                        //    {
                        //        cmd.CommandText = "SELECT 'Hello'";
                        //        using (var reader = cmd.ExecuteReader())
                        //        {
                        //            reader.Read();
                        //            Console.WriteLine(reader.GetString(0));
                        //        }
                        //    }
                        //}
                    }

                    // Releasing the context object stops the impersonation
                    // Check the identity.
                    Console.WriteLine("After closing the context: " + WindowsIdentity.GetCurrent().Name);
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine("Exception occurred. " + ex.Message);
            }
            finally
            {
                Console.Read();
            }

        }

        [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
        public static extern bool LogonUser(string lpszUsername, string lpszDomain, string lpszPassword, int dwLogonType, int dwLogonProvider, out SafeTokenHandle phToken);

        [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
        public static extern bool CloseHandle(IntPtr handle);
    }

    public sealed class SafeTokenHandle : SafeHandleZeroOrMinusOneIsInvalid
    {
        private SafeTokenHandle()
            : base(true)
        {
        }

        [DllImport("kernel32.dll")]
        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
        [SuppressUnmanagedCodeSecurity]
        [return: MarshalAs(UnmanagedType.Bool)]
        private static extern bool CloseHandle(IntPtr handle);

        protected override bool ReleaseHandle()
        {
            return CloseHandle(handle);
        }
    }
}

Edited by user Friday, July 26, 2019 9:56:42 PM(UTC)  | Reason: Not specified

Offline Support  
#22 Posted : Monday, July 29, 2019 9:41:58 AM(UTC)
Support

Rank: Official support

Joined: 2/23/2008(UTC)
Posts: 11,222

Thanks: 874 times
Was thanked: 446 time(s) in 424 post(s)
Originally Posted by: wam Go to Quoted Post
Hi Henrik,
I managed to work thru the C# needed to use Group Managed Service Accounts for impersonation.
[/code]


Thanks, I will forward this and I will get back to you with feedback. Will probably be in 1-2 weeks as we are currently preparing for next release and also have some other development we need to do before.
Henrik
Support
http://www.visualcron.com
Please like VisualCron on facebook!
Offline Support  
#23 Posted : Tuesday, August 13, 2019 3:28:01 PM(UTC)
Support

Rank: Official support

Joined: 2/23/2008(UTC)
Posts: 11,222

Thanks: 874 times
Was thanked: 446 time(s) in 424 post(s)
We have now implemented partial support for this that means that you should be able to access network files with MSA accounts (all Tasks working with files). Please test build: https://www.visualcron.c....aspx?g=posts&t=9617

You need to check "MSA" checkbox in the Credential.

I am not sure which Tasks you were interested in?
Henrik
Support
http://www.visualcron.com
Please like VisualCron on facebook!
Offline ROBV8R  
#24 Posted : Tuesday, August 13, 2019 3:45:51 PM(UTC)
ROBV8R

Rank: Paid support

Joined: 5/4/2017(UTC)
Posts: 8
United States
Location: Fort Worth, TX

Was thanked: 1 time(s) in 1 post(s)
@Support - Are you referring to "MSA"s (Introduced in Windows Server 2008 R2) or "Group Managed Service Accounts" (created for Windows Server 2012)?
Offline Support  
#25 Posted : Wednesday, August 14, 2019 10:42:00 AM(UTC)
Support

Rank: Official support

Joined: 2/23/2008(UTC)
Posts: 11,222

Thanks: 874 times
Was thanked: 446 time(s) in 424 post(s)
Originally Posted by: ROBV8R Go to Quoted Post
@Support - Are you referring to "MSA"s (Introduced in Windows Server 2008 R2) or "Group Managed Service Accounts" (created for Windows Server 2012)?


yes
Henrik
Support
http://www.visualcron.com
Please like VisualCron on facebook!
Users browsing this topic
Guest
2 Pages12>
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Scroll to Top