gMSA configuration for Discovery

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • Group managed service accounts (gMSAs) are managed domain accounts that you use to help secure services. gMSAs can be used for credential-less Discovery.

    Benefits

    After you configure Discovery to use gMSA, password management for that account is handled by the Windows operating system. So, you can run Windows Discovery without sharing credentials with the ServiceNow instance. Benefits include the following:
    • You don’t have to handle gMSA passwords on your own.
    • You can choose the cycle of gMSA password rotation for better security.
    • You don't need to store the password on the ServiceNow instance.
    • The gMSA user doesn't need to be member of a domain admin group.
    • The gMSA user used as the MID Server service account doesn't need to be on the local admin group of the MID Server.
    Figure 1. High level view of Discovery using gMSA
    You can run Windows Discovery without sharing credentials with the ServiceNow instance.

    Configure gMSA for Discovery

    To use gMSAs for credential-less Discovery

    Before you begin

    Role required: admin

    Procedure

    1. On the PowerShell command line, create a KDS Root key on a Domain Controller using the following commands: 
      Add-KdsRootKey -EffectiveImmediately
      or 
      Add-KdsRootKey –EffectiveTime ((Get-Date).AddHours(-10))
    2. Setup your gMSA and security groups using the group managed services account information https://docs.microsoft.com
    3. Start the MID Server with the gMSA account following the directions here on using gMSA: Install a MID Server on Windows
    4. Create a Windows credential on the instance and select the check box Use MID Server Service Account.
    5. Launch a Discovery on the server hosting the MID Server and another computer.