Skip to content

Group Managed Service Accounts (gMSAs) and Secure Standalone Managed Sservice Accounts (sMSAs)

12Port supports the use of Group Managed Service Accounts (gMSAs) and Secure Standalone Managed Sservice Accounts (sMSAs) for the intent of executing remote tasks against domain joined Windows supported endpoints.

Standalone Managed Service Accounts (sMSAs) provide a secure way to manage domain service credentials for individual Windows servers. When used with our software, sMSAs allow for secure, automated task execution without requiring hardcoded credentials. sMSAs help improve operational security by enabling automatic password rotation and reducing the risk associated with manually managed service accounts. Note that sMSAs are designed for use on a single server and do not support remote or multi-server scenarios without additional configuration.

Group Managed Service Accounts (gMSAs) are a secure and convenient way to manage domain service account credentials in Windows environments for multiple servers. In the context of our software, gMSAs enable seamless, credential-free authentication when remotely executing tasks against Windows servers. By leveraging gMSAs, you can improve security through automatic password management and simplify service account administration across multiple servers, ensuring consistent, secure execution of automated operations.

Standalone Managed Service Accounts (sMSAs)

12Port can use a sMSA domain account with Windows Host assets with the authentication method, supplied Host, sMSA Username and no required Password requirement. To create an asset that supports sMSA accounts use the following for guidance:

  1. Host: Define the Host of the supported target Windows asset where the sMSA account can be used for connection and execution of remote tasks.
  2. Username: Define the sMSA account in the following format:
    MSA :: AD-Configuration-Name :: sMSA-Account-Name$
    • MSA instructs 12Port to use the temporary gMSA password instead of any that is supplied in the Password field.
    • :: is used a separator in the Username string. Note that there is a single leading space character, followed by two colon characters, followed by a single trailing space character.
    • AD-Configuration-Name is used to define the Active Directory configuration 12Port will connect with to retrieve the sMSA account password. The AD Configuration Name is that which is defined on the Active Directory Configuration page in the Name parameter. Note that by default, sMSA passwords can only be read by Domain Admin accounts unless otherwise configured. This connection may have its Direct Login disabled.
    • :: is used a separator in the Username string. Note that there is a single leading space character, followed by two colon characters, followed by a single trailing space character.
    • sMSA-Account-Name$ is the name of the AD sMSA account name followed by a single dollar sign character.
  3. Password: leave the password field empty. Otherwise any value entered, will be ignored for this purpose.

Note

If the Active Directory integration account is not a Domain Admin, you may need to grant it specific permission in AD to retrieve this password. For example: Set-ADServiceAccount -Identity 'TPT_gMSA' -PrincipalsAllowedToRetrieveManagedPassword 'LDAP_12PORT_AD_INTEGRATION_ACCOUNT' where LDAP_12PORT_AD_INTEGRATION_ACCOUNT is the Service User in this AD configuration. Review with your IT department before you begin.

sMSA have the same remote task execution requirements (WinRM) as any other account types, so be sure that they have membership in the target server's local Administrator and/or Remote Management Users group.

Group Managed Service Accounts (gMSAs)

12Port can use a gMSA domain account with Windows Host assets with the authentication method, supplied Host, gMSA Username and no required Password requirement. To create an asset that supports gMSA accounts use the following for guidance:

  1. Host: Define the Host of the supported target Windows asset where the gMSA account can be used for connection and execution of remote tasks.

  2. Username: Define the gMSA account in the following format:
    MSA :: AD-Configuration-Name :: gMSA-Account-Name$

    • MSA instructs 12Port to use the temporary gMSA password instead of any that is supplied in the Password field.
    • :: is used a separator in the Username string. Note that there is a single leading space character, followed by two colon characters, followed by a single trailing space character.
    • AD-Configuration-Name is used to define the Active Directory configuration 12Port will connect with to retrieve the gMSA account password. The AD Configuration Name is that which is defined on the Active Directory Configuration page in the Name parameter. Note that by default, gMSA passwords can only be read by Domain Admin accounts unless otherwise configured. This connection may have its Direct Login disabled.
    • :: is used a separator in the Username string. Note that there is a single leading space character, followed by two colon characters, followed by a single trailing space character.
    • gMSA-Account-Name$ is the name of the AD gMSA account name followed by a single dollar sign character.

  3. Password: leave the password field empty. Otherwise any value entered, will be ignored for this purpose.

Note

If the Active Directory integration account is not a Domain Admin, you may need to grant it specific permission in AD to retrieve this password. For example: Set-ADServiceAccount -Identity 'TPT_gMSA' -PrincipalsAllowedToRetrieveManagedPassword 'LDAP_12PORT_AD_INTEGRATION_ACCOUNT' where LDAP_12PORT_AD_INTEGRATION_ACCOUNT is the Service User in this AD configuration. Review with your IT department before you begin.

gMSA have the same remote task execution requirements (WinRM) as any other account types, so be sure that they have membership in the target server's local Administrator and/or Remote Management Users group.

MSA Account Asset Example