Contents x
    Installation with GMSA Account
    • 12 Jan 2024
    • 2 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Installation with GMSA Account

    • Updated on 12 Jan 2024
    • 2 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article Summary

    What is GMSA (Group Managed Service Account)?

    Group Managed Service Accounts (GMSAs) are managed domain accounts that help to secure Windows NT Services. GMSA's can run on a single server or on a server farm, such as systems behind a Network Load Balancing or Internet Information Services (IIS) server. GMSA principal & password will be handled by the Windows operating system. GMSAs offer a single identity solution with greater security. At the same time, it also helps to reduce administrative overhead. To understand more about the GMSA click here.

    Permissions required for GMSA account

    As the GMSA account will be used as a log-in for the BizTalk360 web application, NT Services, and SQL Server database, it must have some permissions to run BizTalk360 smoothly.
    The permissions include:

    • Sign-On permissions
    • IIS permissions to access the Web Application
    • Database permissions and roles to access the BizTalk360 Database
    • Ensure GMSA account is enabled and active in Active directory
    • Ensure Microsoft Key Distribution Service is up & running because this service will manage the GMSA account password state in windows.

    Install BizTalk360 Using GMSA Account  

    Fresh Installation

    During a fresh installation, the GMSA account option is available under the Service Account detail section in IIS & Service account setup screen.

    In the installer, navigate to the IIS & Service account dialog

    • Enter GMSA account name with a Domain name in the Username field in the format(DomainName\GmsaAccountName$)
    • Check GMSA Account option to indicate to the installer that the entered account is a GMSA account. Enabling this option will disable the password field automatically as password is auto-managed by windows.
    • Click Next to Authenticate the account by verifying that the account is available & active in Domain's Active directory.



    Upgrade Installation

    During an Upgrade installation, the GMSA account option is available separately for the Application Pool and the Monitoring Service credentials.

    • Similar to Fresh Installation, the GMSA account name needs to be filled in the UserName field according to the format(DomainName\GmsaAccountName$)
    • Check GMSA Account option
    • After entering the account details, click Validate for Account Authentication
    • If authentication is successful, click Upgrade to complete the installation, else re-enter the valid GMSA Account credentials.
    • During an upgrade, if you have already used GMSA during a fresh installation, the GMSA account details will be auto-populated in this dialog.
    • The provided GMSA account will be mapped as Login for the selected installation features like Web Application, Monitoring Service, and SQL Server database in BizTalk360 .


    Modify Service Account User to GMSA Account after installation

    Follow the steps below if you installed BizTalk360 using service account credentials and want to change them to GMSA account.

    1)Update GMSA Account in BizTak360 AppPool identity

    2)Add GMSA account as a user in the BizTalk360 database. Assign Db owner role .


    3)Change the Service account credentials to gmsa account .(Make sure to clear the password fields while updating the gmsa account)



    The BizTalk360 Installer currently supports logon with Group Managed Service Account (GMSA) and does not support Managed Service Account (MSA) logon. 


    Was this article helpful?
    What's Next
    ESC

    Eddy, a super-smart generative AI, opening up ways to have tailored queries and responses