Configure a Group Managed Service Account for use with Devolutions Server

This article contains the steps to set up a Group Managed Service Account (gMSA) with Devolutions Server. This is only possible for Windows operating systems.

1. Create a KDS Root Key. Do this on the Domain Controller if this is your first time using gMSA.

   Add-KdsRootKey –EffectiveTime ((Get-Date).AddHours(-10))
   

2. Create an Active Directory group for Devolutions Server authorized hosts.

   New-ADGroup -Name "DVLS Authorized Hosts" -SamAccountName "DVLSHosts" -GroupScope DomainLocal
   

3. Create a gMSA on the Domain Controller.

   New-ADServiceAccount -Name "DVLS_Runner" -DnsHostName "dvls01.domain.local"
   -ServicePrincipalNames "http/DVLS_Runner.domain.local" `
   -PrincipalsAllowedToRetrieveManagedPassword "DVLSHosts"
   
   New-ADServiceAccount -Name "DVLS_Sched" -DnsHostName "dvls01.domain.local"
   -ServicePrincipalNames "sched/DVLS_Sched.domain.local" `
   -PrincipalsAllowedToRetrieveManagedPassword "DVLSHosts"
   

4. Add gMSAs to the Azure AD group.

   Add-ADGroupMember -Identity "DVLSHosts" -Members "DVLS_Runner$"
   Add-ADGroupMember -Identity "DVLSHosts" -Members "DVLS_Sched$"
   

5. Add the DVLS01 computer account to the DVLSHosts group. The computers will need to be restarted after this step; you can do so via Active Directory’s Users and Computers or by using PowerShell.

6. On DVLS01, install the gMSAs. Active Directory PowerShell module is required.

   Install-ADServiceAccount DVLS_Runner
   Install-ADServiceAccount DVLS_Sched
   

7. Configure the IIS Application Pool to run as domain.local\DVLS_Runner$. Grant Batch Logon Rights: Either assign Log on as a batch job in Group Policy or add the DVLS_Runner$ account to the IIS_IUSRS group.

   The password fields will remain blank, which is expected behavior for a gMSA.
   

8. Configure Devolutions' Scheduler service :

   • Open Windows’ Services Console (service.msc).

   • Right-click on DevolutionsSchedulerService, and click Properties – Log On tab.

   • Check This Account, and enter domain.local\DVLS_Sched$.

   • Click on Browse to find the account.

   • Leave the password fields blank.

   The Log on as a service permission is granted automatically for gMSAs.

9. Grant permissions to the database in Devolutions Server Console.

   • Navigate to Administration – Edit – Database – Advanced credentials.

   • Enable Apply least permissions.

   • Set the DVLS_Runner$ and DVLS_Sched$ accounts in their respective fields.

10. Restart DVLS01, confirm that the app pool and scheduler start correctly, and ensure the Devolutions Server web interface and background jobs are working properly.