Skip to content

Instantly share code, notes, and snippets.

@dbathgate

dbathgate/TAS_IWA_AD_SETUP.md

Last active December 18, 2023 20:22
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dbathgate/d40294c2b4cb465c6dbe242a03799a78 to your computer and use it in GitHub Desktop.
Save dbathgate/d40294c2b4cb465c6dbe242a03799a78 to your computer and use it in GitHub Desktop.
Download ZIP
Setup a gMSA to be used the Integrated Windows Auth (IWA) feature of Tanzu Application Service (TAS)
Raw
bosh-dns.json
[{
"domain":"activedirectory.tld.address",
"source":{
"type":"dns",
"recursors":["FIRST.IP.OF.ACTIVEDIRECTORY","SECOND.IP.OF.ACTIVEDIRECTORY"]
}
}]
Raw
TAS_IWA_AD_SETUP.md

Create Kds Root key that's active immediately

Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)

Create an AD group to associate gMSA and user to

New-ADGroup -Name "Tas01 Authorized Accounts" -SamAccountName "Tas01Accounts" -GroupScope DomainLocal

Create gMSA

  • IMPORTANT: Name should match ServicePrincipalNames: -ServicePrincipalNames "host/$NAME"
New-ADServiceAccount -Name "Tas01" -DnsHostName "Tas01.drb.ad-domain.local" -ServicePrincipalNames "host/Tas01" -PrincipalsAllowedToRetrieveManagedPassword "Tas01Accounts"

Create gMSA user credentials

New-ADUser -Name "TasUser01" -AccountPassword (ConvertTo-SecureString -AsPlainText "Secret123" -Force) -Enabled 1

Add user to gMSA group

Add-ADGroupMember -Identity "Tas01Accounts" -Members "TasUser01"

Save credential spec file

  • First time, run: Install-Module CredentialSpec
New-CredentialSpec -AccountName Tas01 -Path "C:\Temp\Tas01_CredSpec.json"

Reference: https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/manage-serviceaccounts

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment