Use Group Managed Service Accounts for Atria Components
Overview
Historically, Atria has used Active Directory User accounts as the Logon Account for Services, Web Services and Scheduled tasks. These accounts typically need Administrative privileges to perform the task they are intended to do, and can therefore be a point of vulnerablity.
We recommend reconfiguring all Component accounts to use gMSA's instead of Active Directory User accounts.
With Atria v15.24 onwards, these components can be configured to use gMSA's (Group Managed Service Accounts). In fact, any new component intallation will automatically use a gMSA as the Logon Account for these components.
Note: Older versions of Atria can also be configured this way, although it is a lot harder to do so. This document will only detail how to configure gMSA's for an Atria component for v15.24 or higher.
Applies to
Atria 15.24 and later
Details
In an Administrative session of Powershell run the following:
$Cred = Get-Credential
Set-AtriaInstallerCredential -Component <componentname> -Server <servername> -Credential $Cred
When entering the details of the credential, make sure to specify it in the format of Domain\Account$ and the accountname cannot exceed 15 characters in length. For example MyTestDomain\Atria_PS_Svc$.
Leave the password blank
This will store the desired credential securely in the Atria Config Service
The following table lists the componentname for the components that are currently setup to use these accounts.
| Component | ComponentName | Type |
|---|---|---|
| Atria Config Service | configservice | Service |
| Atria Agent | agent | Service |
| Atria Platform API | Service | |
| Atria Provisioning Service | provisioning | Service |
| Directory Web Service | directoryws | Web Service |
| MSOL Web Service | msolws | Web Service |
| WorkSpace Web Service | workspacews | Web Service |
| Scheduled tasks | scheduledtasks | Scheduled Tasks |
Then simply re-run an upgrade for the desired component.
As an example, to reconfigure the Agent to use a gMSA, run the following with DomainName\Atria_Agent_Svc$ as the account
$Cred = Get-Credential
Set-AtriaInstallerCredential -Component Agent -Server (HostName) -Credential $Cred
Update-AtriaAgent
The Agent will be updated (to the highest version available that is less than or equal to the version of the Atria.Tools Powershell module that is installed on the Provisioning Server), and the Service will be reconfigured to use this account.
Any Certificates that the account needs access to will also be updated automatically.