Configure a Group Managed Service Account for use with Devolutions Server

This article contains the steps to set up a Group Managed Service Account (gMSA) with Devolutions Server. This is only possible for Windows operating systems.

The environment values in this guide (e.g., dvls01.domain.local) are placeholders, replace them with the specific values of your environment.

  1. Create a KDS Root Key. Do this on the Domain Controller if this is your first time using gMSA.

    Add-KdsRootKey –EffectiveTime ((Get-Date).AddHours(-10))

  2. Create an Active Directory group for Devolutions Server authorized hosts.

    New-ADGroup -Name "DVLS Authorized Hosts" -SamAccountName "DVLSHosts" -GroupScope DomainLocal

  3. Create a gMSA on the Domain Controller.

    New-ADServiceAccount -Name "DVLS_Runner" -DnsHostName "dvls01.domain.local"
-ServicePrincipalNames "http/DVLS_Runner.domain.local" `
-PrincipalsAllowedToRetrieveManagedPassword "DVLSHosts"

New-ADServiceAccount -Name "DVLS_Sched" -DnsHostName "dvls01.domain.local"
-ServicePrincipalNames "sched/DVLS_Sched.domain.local" `
-PrincipalsAllowedToRetrieveManagedPassword "DVLSHosts"

  4. Add gMSAs to the domain group.

    Add-ADGroupMember -Identity "DVLSHosts" -Members "DVLS_Runner$"
Add-ADGroupMember -Identity "DVLSHosts" -Members "DVLS_Sched$"

  5. Add the DVLS01 computer account to the DVLSHosts group. The computers will need to be restarted after this step; you can do so via Active Directory’s Users and Computers or by using PowerShell.

  6. On DVLS01, install the gMSAs. Active Directory PowerShell module is required.

    Install-ADServiceAccount DVLS_Runner
Install-ADServiceAccount DVLS_Sched

  7. Configure the IIS Application Pool to run as domain.local\DVLS_Runner$. Grant Batch Logon Rights: Either assign Log on as a batch job in Group Policy or add the DVLS_Runner$ account to the IIS_IUSRS group.

    The password fields will remain blank, which is expected behavior for a gMSA.

  8. Configure Devolutions' Scheduler service:

    • Open Windows’ Services Console (service.msc).

    • Right-click on DevolutionsSchedulerService, and click PropertiesLog On tab.

    • Check This Account, and enter domain.local\DVLS_Sched$.

    • Click on Browse to find the account.

    • Leave the password fields blank.

    The Log on as a service permission is granted automatically for gMSAs.

  9. Grant permissions to the database in Devolutions Server Console.

    • Navigate to AdministrationEditDatabaseAdvanced credentials.

    • Enable Apply least permissions.

    • Set the DVLS_Runner$ and DVLS_Sched$ accounts in their respective fields.

  10. Restart DVLS01, confirm that the app pool and scheduler start correctly, and ensure the Devolutions Server web interface and background jobs are working properly.

Devolutions Forum logo Share your feedback