Skip to content

gMSA Configuration

Jump to bottom
lordmilko edited this page Jul 20, 2022 · 7 revisions

Contents

Overview

Many aspects of using PRTG can assume you are operating in a domain environment. Docker containers however are considered to be ephemeral, and do not get added to the domains of the hosts that run them. This can create challenges when attempting to access network resources that require you to authenticate as a domain user.

Group Managed Service Accounts (gMSAs) provide a means to work around this issue; when the gMSA is installed on the Docker server and the container is instructed to use it, all attempts to access network resources will be proxied through this account.

There are four steps involved in using a gMSA with Docker

  1. Create it in Active Directory
  2. Install it on your Docker server
  3. Create a credential spec for use with your container that utilizes the gMSA
  4. Instruct your container to use credential spec for authentication

Steps 3 and 4 are automatically handled by PrtgDocker for you. The following (adapted from this and this) describes how to perform steps 1 and 2, and then verify that authentication is working in conjunction with PrtgDocker.

Setup

  1. On your Domain Controller, run the PowerShell command

    Get-KdsRootKey

    If this command returns something, go to step 2. If this command returns nothing, then run

    Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)

    Microsoft recommends that you don't specify -EffectiveTime (Get-Date).AddHours(-10), but rather specify -EffectiveImmediately and then wait 10 hours before proceeding. From my research, the justification for this is that this is a "safety measure" to ensure "all domain controllers have replicated and are ready for gMSA requests". From my perspective however, so what if all domain controllers aren't ready for requests; depending on your environment, these steps either work or they don't; if they don't, come back tomorrow and pick up where you left off. I have multiple domain controllers in my environment and didn't have an issue hacking the EffectiveTime; never the less, keep all this in mind. YMMV.

  2. Create a security group in your domain called Container Hosts

  3. Add all of the Docker hosts that will be running PRTG containers to the Container Hosts security group, then restart each of the systems that were added to the group

    Depending on the number of domain controllers in your environment, you may need to wait some time for your computer's updated group membership to occur before restarting it. You can check whether your computer's group membership now includes Container Hosts after a restart by running gpresult /r /scope computer

  4. On your domain controller run the following PowerShell command

    New-ADServiceAccount -Name container_gmsa -DNSHostName $env:userdnsdomain.ToLower() -PrincipalsAllowedToRetrieveManagedPassword "Domain Controllers","Domain Admins","Container Hosts" -KerberosEncryptionType RC4,AES128,AES256

  5. Verify that your gMSA was successfully created

    Get-ADServiceAccount -Identity container_gmsa

  6. Open the Active Directory Administrative Center MMC snap-in on your domain controller

  7. Expand your domain on the left hand side (e.g. contoso (local)), right click the container_gmsa account and click Properties

  8. On the Security tab, click Add and add the Container Hosts group created in step 2 and click OK

Installation

On each of your Docker hosts, run the following PowerShell commands

Enable-WindowsOptionalFeature -FeatureName ActiveDirectory-Powershell -online -all

Get-ADServiceAccount -Identity container_gmsa
Install-ADServiceAccount -Identity container_gmsa
Test-AdServiceAccount -Identity container_gmsa

Verification

If you followed these instructions correctly, your Docker gMSA account should now be created in your domain and installed on each of your PRTG Docker hosts. If you encounter any issues with these steps, please make sure you have followed these instructions correctly, or refer to the two articles referred to at the top of this section.

To truly test that the gMSA is working, create a PRTG Probe container with a -CustomSensorsPath and perform the diagnostics listed below.

  1. Create a new PRTG Probe container (if you haven't already) with the following command, substituting the -Name, -Server and -CustomSensorsPath for the actual paths you want to use in your environment.

    New-PrtgContainer -Probe -Name "New York 1" -Server prtg.example.com -Volume -CredentialSpec -CredentialSpecAccount container_gmsa -CustomSensorsPath "\\fs-1.contoso.local\CustomSensors"

  2. Connect to your container (via docker exec) and attempt to list the contents of the Custom Sensors folder

    cd "C:\Program Files (x86)\PRTG Network Monitor\Custom Sensors\"
ls
cd EXEXML
ls

  3. Verify your connection status to your domain

    nltest /sc_verify:contoso.local

    Note that the above command will indicate an error on Server 2016 images unless -AdditionalArgs "--hostname","container_gmsa" is specified to New-PrtgContainer. In practice, I have not noticed any issues with nltest not working, as long as everything else does work properly

  4. Verify you've received a Kerberos ticket

    klist get container_gmsa

If you experience issues with WMI requests inside your docker container, please see Image Compatibility for more info.

User Guide

Setup

Clone this wiki locally