Support for Managed Service Accounts/Group Managed Service Accounts

[PleaseStopAsking]

Hi,

We currently utilize MSA/gMSA's within our deployments but are required to manually switch over to them after utilizing DSC to deploy with local accounts. Would it be possible to implement these in the future?

Our current workflow requires...

1. Setting permissions for the MSA on the required ArcGIS dirs based on the software being configured.
2. Setting the service account to the MSA.
3. Restarting the service.

As the DSC resources already handle setting the permissions aspect, I assume that adding support for the MSA's use of

domain\username$

for the username field would need to done.

Thanks,

[PleaseStopAsking]

Adding info for documentation purposes. PowerShell does not support $null passwords when creating pscredential objects. Adding support for MSA's would likely require changing the DSC resources to support individual parameters for Username and Password instead of passing in a pscredential or including a new parameter that accepts a MSA and then logic determines which to use.

The DSC_xServiceResource has implemented this sort of behavior successfully.
https://github.com/dsccommunity/xPSDesiredStateConfiguration/blob/master/source/DSCResources/DSC_xServiceResource/DSC_xServiceResource.schema.mof

[scma-esrich]

Any updates on an ETA for that?

[scma-esrich]

Any updates on an ETA for that?

Push.

[PleaseStopAsking]

Just an update on this enhancement request. With the release of 10.8, the installers now support the use of gMSA's. As such, the below example can be used when building custom configurations with the DSC resources directly (compared to leveraging the functions/cmdlets bundled) to install the software and run it as a gMSA. It's not complete support but half the battle.

If building custom DSC configurations yourself, the ArcGIS_Install resource sets the permissions as needed (for install folder) and sets the service to auto start so in theory, you could do away with the need to use the ArcGIS_WindowsService and ArcGIS_Service_Account depending on your setup or supplement it with a Script resource that sets the config-store and directories dir permissions for the gMSA.

Install ArcGIS Server:

ArcGIS_Install 'InstallServer' {
    Name      = 'Server'
    Version   = '10.8'
    Path      = 'C:\ArcGIS_Server_Windows_108_172859.exe'
    Arguments = if($Gmsa) { "/qb MSA=TRUE USER_NAME=$Gmsa" } else { "/qb" }
    Ensure    = 'Present'
    DependsOn = $Depends
}

This update is directed toward users of the module and not toward the dev team directly.

[HakonD]

Hope the team will prioritize this request. At last since UC-2019 using a gMSA as the service account is promoted as a best practice.

[cameronkroeker]

Hello @PleaseStopAsking and @HakonD,

We have added support for gMSA in the latest release, v3.2.0:

https://github.com/Esri/arcgis-powershell-dsc/releases/tag/v3.2.0

To use, set ConfigData.Credentials.ServiceAccount.IsMSAAccount = true.

arcgis-powershell-dsc/SampleConfigs/v3/v3.2.0/Base Deployment/BaseDeployment-SingleMachine.json

Lines 23 to 28 in 78e488f

	"ServiceAccount": {
	"UserName": "[ServiceAccount Username - Can be a Domain Account]",
	"Password": "[ServiceAccount Password]",
	"IsDomainAccount": false,
	"IsMSAAccount": false
	},

Thanks,
Cameron K.