Question

Active Directory connect with group managed service account (gMSA) possible?

wicki
Rank
Badge +5

Does FME support a connection to active directory with a group managed service account (gMSA)? Or are only regular accounts supported?

11 replies

richardatsafe
Rank
Badge +10

Hi @wicki,

Great question. Here is what we know:

 

  • FME Server will run when the services are run under a Group Managed Service Account.
  • Using a GMSA as the "Search Account Name" for Active Directory Connection has not bee tested.
  • Nor has adding GMSA's to FME Server users been tested.

 

Thanks,

Richard

wicki
Rank
Badge +5

Hi @richardatsafe,

thanks for your answer.

Will you test using the gmsa as the "search account"? That's the interesting point for me. If that is supported by FME SERVER it would be really great.

Otherwise have to change the password manually every day. That would be a no go for using AD with the FME Server.

richardatsafe
Rank
Badge +10

Hi @richardatsafe,

thanks for your answer.

Will you test using the gmsa as the "search account"? That's the interesting point for me. If that is supported by FME SERVER it would be really great.

Otherwise have to change the password manually every day. That would be a no go for using AD with the FME Server.

Hi @wicki,

 

Testing showed that at this point they do not work. I created a change request for adding this support, but if its something that is very important please post it on our ideas page so we can get more traction.

  • Using a GMSA as the "Search Account Name" for Active Directory Connection
  • or importing GMSA's to FME Server users.

 

worjak
Rank
Badge +3

Hi @wicki,

 

Testing showed that at this point they do not work. I created a change request for adding this support, but if its something that is very important please post it on our ideas page so we can get more traction.

  • Using a GMSA as the "Search Account Name" for Active Directory Connection
  • or importing GMSA's to FME Server users.

 

Hi, @richardatsafe​ 

 

Have this change request had any progress? I'm sitting in an organisation that wish to use gMSA. :)

richardatsafe
Rank
Badge +10

Hi @wicki,

 

Testing showed that at this point they do not work. I created a change request for adding this support, but if its something that is very important please post it on our ideas page so we can get more traction.

  • Using a GMSA as the "Search Account Name" for Active Directory Connection
  • or importing GMSA's to FME Server users.

 

Hi @worjak​ ,

 

GMSA works perfectly fine as the service account running FMEServer (core,web, engines). Do you have a specific need outside of this for using the GMSA account such as an LDAP connection search account?

worjak
Rank
Badge +3

True, the GMSA runs the FMEServer (core,web, engines) fine, but we have difficulties using it to connect to ms sql server via windows authentication/SSO? I'm surprised that we get these problems since we had succes doing the same with a non-GMSA. I understand a benefit from using the GMSA is to avoid renewing a password.

richardatsafe
Rank
Badge +10

True, the GMSA runs the FMEServer (core,web, engines) fine, but we have difficulties using it to connect to ms sql server via windows authentication/SSO? I'm surprised that we get these problems since we had succes doing the same with a non-GMSA. I understand a benefit from using the GMSA is to avoid renewing a password.

Thanks @worjak​, That's something we had not considered, I will make a format enhancement to see if we can make the readers / writers use GMSA? Are there any other formats you would like to use this way?

worjak
Rank
Badge +3

That's great @richardatsafe​  - I dont' have anything to add at this point .

richardatsafe
Rank
Badge +10

That's great @richardatsafe​  - I dont' have anything to add at this point .

Hi @worjak​ ,

 

I'm looping back to this for some general testing, but it looks like GMSA are not meant to be used as user database logins only for running the services, and I could not find a working method for creating GMSA user login for the MSSQL database. Would you have a method for this?

M

Hi @richardatsafe​ ,

Any news on this? We have encounted the same issue and our organization uses gMSA-accounts only, including database connections. Other applications can connect with gMSA-account to SQL databases without any problems, but no luck with FME Flow.

 

Could not open the Enterprise Geodatabase. The error number from ArcObjects is: '-2147216118'. The error message from ArcObjects is: {Bad login user[ ]}

richardatsafe
Rank
Badge +10

Hi @marty​ ,

 

There hasn't been any development to enable Active Directory Connections to use GMSA yet, but I can add your comment to the issue if you require this functionality. As far as using it in the GMSA service account to run the engines, this works fine. However using a reader that uses Integrated Windows Authentication (which I am assuming you are doing) for the GMSA often has issues as a lot of databases don't support GMSA logins. Can you confirm in another way otehr than FME that using the SDE file as the GMSA works? I should note there are a couple of reasons for your error, and if you can create a case so we can dive into the details of your environment and set up we may be able to either help or create a better enhancement request.

Reply


Community Stats

29,355
Posts
111,610
Replies
37,019
Members
Terms & ConditionsCookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.