Are there any issues with running any Laserfiche Windows services or IIS Application Pools with Group Managed Service Accounts (GMSA)?
Craig has it essentially right. There aren't any issues I'm aware of running any Laserfiche services or IIS app pools as a gMSA.
The annoyance with not being able to specify the gMSA during installation/upgrade partially has to do with gMSA's being "Service Account" type objects in AD, which Laserfiche installers don't and (currently) can't look for.
We are using them and haven't had any issues running any of the Laserfiche Services or IIS Application pools with a GMSA. When you are installing software and it asks for the service user name & password, you need to use network or local service to install because you don't have a password for the GMSA, then go to Windows Services and change the "Log On As" user to the GMSA.
Craig has it essentially right. There aren't any issues I'm aware of running any Laserfiche services or IIS app pools as a gMSA.
The annoyance with not being able to specify the gMSA during installation/upgrade partially has to do with gMSA's being "Service Account" type objects in AD, which Laserfiche installers don't and (currently) can't look for.
Hey Sam-
We're beginning our GMSA testing and so far things all basically work as expected. The one hiccup is Forms data sources. Since it doesn't have the option to just use the service account (any updates on that front?) I have to manually enter the info.
However, a password is required, which of course I don't know and will be changed on a regular basis.
You have any experience getting GMSA working here?
Hey Pieter,
Looks like gMSAs wouldn't be supported for Forms Data Sources at this time because they don't have an option to connect using the service identity.
Forms appears to store the data necessary to construct the ODBC connection strings in its cf_external_databases table like so:
No way that Miruna or I can see to modify anything to use the service identity instead. Can you send me an email referencing this post, and, time permitting, I'll file it as a feature request?
gMSAs love them easy and secure, but not all applications are ready for them. I have been working with Laserfiche and gMSAs changing Laserfiche Services, changing IIS Application pools, run as batch, sometimes giving gMSAs full permissions to the application's folder, limiting SQL connections to only the gMSAs, etc. The Laserfiche applications seems to work fine, and I can verify gMSAs connections to the SQL server. Yea, life was good! But I ran into some trouble especially with an after-hours Forms upgrade and had to revert back to the previous version. So, we have limited the SQL connection to the gMSA, run the installer for a forms upgrade, it doesn't allow you to select a service account (as stated above), you must select another account (network, local service, or create that domain account again that was originally replaced by the gMSA), and then just install the upgrade? Well, if you locked down the SQL server to just the gMSA account, you would probably need to add back some login permissions on the DB as well so the upgrade can access the database for changes. Does that sound about right?
Yep, sounds about right. Because the installer itself won't let you select a gMSA as the service identity, you must temporarily use a different service identity (built-in or domain) and then switch it back to the gMSA after the installer completes the upgrade.
Has forms been updated to be able to use gMSA yet? I see several older forum posts but not coming across anything recent really. Thank you!
Forms supports running as a Managed Service Account type identity.
Setting that in the installer? No. The updated installers that are coming out soon will likely not support providing custom identities at install time of any sort, so you'd run the installer and update the service identity afterward, just like you can now.