question

DavidHood-5810 avatar image
0 Votes"
DavidHood-5810 asked LimitlessTechnology-2700 answered

How to correctly set SPN on gMSA used for scheduled tasks

I need to know how EXACTLY to set a SPN for a new gMSA that I am about to create. I have read many articles for creating a gMSA, but they all have a generic "SPN1, SPN2" for the examples or something referencing SQL instances for the SPN. What is the format or wording that the SPN needs to be set to?
I am creating our first gMSA in AD (Domain functional level is 2016) and this one will be only for scheduled tasks on one or two servers to start with. Then I will look into creating one for SQL services after I get this correct.
If I create a gMSA with the name as "TaskAcct", then do I create a SPN for it like "http\taskacct? How do I do this. I feel there is very little to no documentation on how to do this correctly. If I set one up for a SQL service, or any other service for an application to run as that account, what would the SPN look like?

I checked this but that didn't help much.
https://social.technet.microsoft.com/Forums/windows/en-US/681603b6-1b33-45e8-9e84-3a049985e56e/usage-of-serviceprincipalnames-when-creating-gmsa-accounts?forum=winserverDS

windows-active-directorywindows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cthivierge avatar image
0 Votes"
cthivierge answered DavidHood-5810 commented

Well... it depends what is your goal.

Let me explain...

When you configure a SPN on a Server, it's to give the ability to a client to connect to this service using Kerberos authentication.

If it's a schedule task that run on a Windows Server and only this server will make the calls to other servers, there is no need to create a SPN because nobody will call the scheduler.

The SPN has to be configured on the Active Directory object where the service is running

For example,
Let say you have a SQL Server instance (let say the default instance) that is running on SQL001
The SQL Engine Service is configured to run using the computer account.
In that case, the SPN has to be configured on the computer account SQL001 because when clients will try to connect to the SQL Server (SQL001), they will request a Kerberos ticket that match the server name.
I that case, the command to register the SPN would be --> setspn -S MSSQLSvc/SQL001 SQL001


Another scenario is if the same SQL Server is configured to run using a Group Managed Service Account (gMSA) called gmsa_sql$
In this scenario, the SPN has to be configured on the gmsa_sql$ account.
I that case, the command to register the SPN would be --> setspn -S MSSQLSvc/SQL001 gmsa_sql$

hth

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for that additional explanation. That makes more sense now. Not sure why I couldn't find anything else on the internet to explain it like this.

0 Votes 0 ·
cthivierge avatar image
0 Votes"
cthivierge answered DavidHood-5810 commented

The SPN creation format is the following

setspn -S [Service]/HostName account

Example:
The service that will be accessed is HTTP
The host (The server where the gmsa will run) is Server01
The account (the gMSA account) is gmsa_taskAcct

The command will be the following:
setspn -S HTTP/Server01 gmsa_taskAcct$

If your users will access the server using the FQDN, also add the long name like that:
setspn -S HTTP/Server01.yourdomain.com gmsa_taskAcct$


hth

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for that explanation. That is better than most I've seen and helps me understand how to set it up.
However, is it even necessary to set the SPN for using the account for scheduled tasks on a server? Could I also use the command to have the SPN automatically set?

0 Votes 0 ·
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello DavidHood,

A prerequisite to configuring an assessment scheduled task to run as an MSA is to provision or create the MSA in Active Directory Domain Services. Each of the supported assessments specifies the authorization and access requirements of the scheduled task account to successfully run.

Consult supported assessment getting started documents and prerequisite documents for access requirement details of the scheduled task account.

There are two types of managed service accounts. Either may be configured for the assessment scheduled task for the supported assessments:

Standalone Managed Service Accounts (also known as Virtual Accounts) can only be authorized to authenticate on a single domain joined computer.
Group Managed Service Accounts can be authorized to authenticate on several domain computers.

The Windows PowerShell Active Directory module is required for provisioning and configuring both types of MSAs. Domain controllers typically have this PowerShell module installed during installation of the domain controller role.

The module, a component of the Remote Server Administrator Tools, may be added to Windows Server SKUs via Server Manager. The module may also be added to Windows 1


Here’s a link that will help guide you as well:

https://docs.microsoft.com/en-us/services-hub/health/kb-running-assessments-with-msas


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.