Conversion of MIM Specific Services to gMSA

This Guide will step through the basic steps to configure gMSA for supported services. The process to convert to gMSA is easy once you pre-configure your environment.

Hotfix Required: <link to latest KB>

Supported:

  • MIM Synchronization service(FIMSynchronizationService)
  • MIM Service(FIMService)
  • MIM Password Registration
  • MIM Password Reset
  • PAM Monitoring Service(PamMonitoringService)
  • PAM Component Service (PrivilegeManagementComponentService)

Not Supported:

General Information

Reading needed to complete setup and understand

First Step on your windows domain controller

  1. Create the Key Distribution Services(KDS) Root Key (only once per domain) if needed. Root Key is used by the KDS service on DCs (along with other information) to generate passwords.

    • Add-KDSRootKey –EffectiveImmediately

    • "–EffectiveImmediately" means wait up to ~10 hours / need to replicate to all DC. This was approximately 1 hour for two domain controllers.

Synchronization Service


  1. Create a group called “MIMSync_Servers” and add all Synchronization servers to this group.

  1. From windows PowerShell, then execute below command as domain admin with computer account already joined to the domain

    • New-ADServiceAccount -Name MIMSyncGMSAsvc -DNSHostName MIMSyncGMSAsvc.contoso.com -PrincipalsAllowedToRetrieveManagedPassword "MIMSync_Servers"

  • Get details of the GSMA for sync:

  • If running PCNS Service, you will need to update the delegation

    • Set-ADServiceAccount -Identity MIMSyncGMSAsvc -ServicePrincipalNames @{Add="PCNSCLNT/mimsync.contoso.com"}
  1. Next on the synchronization services be sure to backup the encryption key as it will be requested upon change mode install

    • On the Server that the Synchronization Service is installed on locate the Synchronization Service Key Management tool

    • By Default, the Export key set is already selected

    • Click on Next

    • You will now be prompted to enter the existing synchronization account information

    • Enter and verify the FIM Sync Account information

      • Account Name - Account name of the Synchronization Service account used during the initial install

      • Password - Password of Synchronization Service account

      • Domain - Domain that the Synchronization Service account is apart of

    • Click on Next

    • If you entered something incorrectly, you will receive the following error

    • Now you have successfully entered the Account information, you will be presented with an option to change the destination (export file location) of the backup encryption key

      • By Default, the export file location is C:\Windows\system32\miiskeys-1.bin.
  2. Install Microsoft Identity Manager SP1 Synchronization Service build 4.4.1302.0. you can be found on Volume License Download Center or MSDN Download Site. Once you completed install make sure, you save keyset miiskeys.bin.

  1. Install latest hotfix 4.5.x.x or later.
  • Once Patched Stop FIM Synchronization service.
  • Control Panel Programs and Features Microsoft Identity Manager
  • Synchronization service Change -> Next -> Configure -> Next

  • Clear the account name
  • Type service account name MIMSyncGMSA with $ symbol as on the
  • screenshot. Leave Password empty.

  • Next-> Next-> Install
  • Restore keyset from the .bin file saved.

Note

SQL permission added is account is created for login therefore you must allow the user applying change mode permission to add account and dbo on the synchronization service database

MIM Service


Important

The following process must be used when first converting the MIM Service related accounts to be gMSA accounts. The PowerShell cmdlets noted in the Appendix can only be used to change the account information once the initial configuration has been done.*

  1. Create Group Managed Accounts for MIM Service, PAM Rest API, PAM Monitoring Service, PAM Component Service, SSPR Registration Portal, SSPR Reset Portal.

    • Make sure you update gMSA delegation and SPN
      • Set-ADServiceAccount -Identity <account> -ServicePrincipalNames @{Add="<SPN>"}
      • Delegation
        • Set-ADServiceAccount -Identity <gsmaaccount> -TrustedForDelegation $true
      • Constrained Delegation
        • $delspns = 'http/mim', 'http/mim.contoso.com'
        • New-ADServiceAccount -Name <gsmaaccount> -DNSHostName <gsmaaccount>.contoso.com -PrincipalsAllowedToRetrieveManagedPassword <group> -ServicePrincipalNames $spns -OtherAttributes @{'msDS-AllowedToDelegateTo'=$delspns }
  2. Add account for MIM Service in Sync Groups. It is necessary for SSPR.

  1. NOTE. Known issue that services that use managed account hang after restarting server due to  Microsoft Key Distribution Service is not started after restarting the Windows. Service could not be started and Windows could not be restarted too. The issue is reproducible at least on Windows Server 2012 R2. Workaround for this issue is run command 
  1. Run Elevated MSI of MIM Service and select change.

  2. On “Configure main server connection page” check “Use different account for Exchange (for managed accounts)” checkbox. Here you will have an option to use the old account that has a mailbox or use cloud mailbox.

  1. On “Configure MIM Service account” page type service account with $ symbol at the end. Also type Service Email Account Password. Service Account Password should be disabled.

  1. As LogonUser function doesn’t work for managed accounts, Next page will be warning “Please check if Service Account is secure in its current configuration”.

cid:image007.png@01D36EB7.562E6CF0

  1. On “Configure Privileged Access Management REST API” page, type Application Pool Account Name with $ symbol at the end and leave Password field empty.

  1. On “Configure PAM Component Service” page type Service Account Name with $ symbol at the end and leave Password field empty.

cid:image010.png@01D36EB8.A295A3F0

  1. On “Configure Privileged Access Management Monitoring Service” page type Service Account Name with $ symbol at the end and leave Password field empty.

  1. On “Configure MIM Password Registration Portal” page type Account Name with $ symbol at the end and leave Password field empty.

  1. On “Configure MIM Password Reset Portal” page type Account Name with $ symbol at the end and leave Password field empty.

  1. Complete installation.

Note:

  • After installation two new keys are created in registry by path
    • “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Identity
    • Manager\2010\Service” for storing encrypted Exchange password. One for
    • Exchange Online and another for Exchange on premise (One of them should be
    • empty).

cid:image014.jpg@01D36F53.303D5190

  • To update the password, we provided a script download here so customer will not have to run change mode

  • To encrypt Exchange password the installer creates additional service and

    • runs it under the managed account. Following messages will be added in
    • Application Event Log during installation.

cid:image016.jpg@01D36F53.303D5190