How to configure a Foreign Forest Agent to use a gMSA
说明
What is needed to use a gMSA with the Foreign Forest Agent?
原因
解决办法
There has to be a 2 way trust between the domains to be able to use a gMSA with the Foreign Agent
The “ChangeAuditor Agents – INSTALLATIONNAME” group needs to exist in the Coordiantor domain. If it does not, create it
Create the gMSA account in either the Coordinator domain or the Foreign domain (it is recommended to create the gMSA in the Coordinator domain)
If the gMSA is created in the Foreign domain:
It needs to be a member of the Authenticated Users group in the domain where the Coordinator(s) is hosted
The PrincipalsAllowedToRetrieveManagedPassword ACL (attribute) of the gMSA must include the computer accounts where the gMSA is going to be used (as in add the computer accounts where you are installing the Foreign agent and configuring that agent to use the gMSA). This can be done by adding the accounts directly to the attribute or adding a group to the attribute and add the accounts as members of the group
The PrincipalsAllowedToRetrieveManagedPassword ACL (attribute) must include the computer accounts for the Coordinator(s) (as in add the computer accounts for ALL Coordinators hosted in the Coordinator domain). This can be done by adding the accounts directly to the attribute or adding a group to the attribute and add the accounts as members of the group
The gMSA account must be a member of the "ChangeAuditor Agents - INSTALLATIONNAME" group in each of the coordinator domain(s)
If the gMSA is created in the Coordinator domain:
The PrincipalsAllowedToRetrieveManagedPassword ACL (attribute) of the gMSA must include the computer accounts where the gMSA is going to be used (as in add the computer accounts where you are installing the Foreign agent and configuring that agent to use the gMSA). This can be done by adding the accounts directly to the attribute or adding a group to the attribute and add the accounts as members of the group
The PrincipalsAllowedToRetrieveManagedPassword ACL (attribute) must include the computer accounts for the Coordinator(s) (as in add the computer accounts for ALL Coordinators hosted in the Coordinator domain). This can be done by adding the accounts directly to the attribute or adding a group to the attribute and add the accounts as members of the group
The gMSA account must be a member of the "ChangeAuditor Agents - INSTALLATIONNAME" group in each of the coordinator domain(s)
Grant the gMSA account the Logon as Service right on any server where you are installing the Foreign Agent
The workflow when using a gMSA with a Foreign Agent is as follows:
The gMSA account is used by the agent to query the Coordinator domain for any Coordinator Service Connection Points (SCP). This is possible because the account is a member of the Authenticated Users group in the Coordinator domain and that group has read rights in the domain
The agent gets the SCP and then attempts to connect to the Coordinator
The Coordinator verifies if the credentials of the gMSA are permitted to authenticate by checking the membership of the CA Agents group. Since the agent is proving credentials that are a member of the CA Agents group, the Coordinator allows it to connect.
This configuration does not give any other foreign agent (or any other account for that matter) the ability to do anything with the gMSA account. The only objects permitted to retrieve the password for the gMSA are those that have been added to the PrincipalsAllowedToRetrieveManagedPasswords attribute. In this scenario, the gMSA is used by the agent to query for the SCP and then for the Coordinator to validate that the account being used is permitted to connect.