Mim sync using Group Managed serviceaccount (GMSA) - Export enc keys

SteinIP 271

In an effort to modernize our infrastructure we are working on a new installation of MIM and wanted to use GMSA to run our sync service. It works perfectly, but now our question is how to export encryption keys?

When using the gui we are promted for the serviceaccounts username and password, but the password is not known for a GMSA...

Has anyone done this?
Can it be done?

Accepted answer

Tom Houston 176 Reputation points

2021-01-26T13:01:31.643+00:00
Hey there @SteinIP ,

Give the following a go with PowerShell:

Set-Location -Path 'C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\bin'

and then

.\miiskmu.exe /e C:\miis-encryption-keys\sync-service.bin /u DOMAIN\mimsync *

Hope this helps
Please sign in to rate this answer.

1 person found this answer helpful.
MarkvE 6 Reputation points

2022-07-07T09:59:54.14+00:00

This did not worked for me when using a Group Managed Service Account. The syntax I have used is:

.\miiskmu.exe /e "c:\miis-encryption-keys\sync-service.bin" /u:DOMAIN\gmsamimsync$

Notice the $ (dollar sign) on the service account name and the : (colon) between /u and the DOMAIN\gmsamimsync$ and you need to run this elevated as administrator.

The output will look like this (a pop-up will be shown as well).
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Mim sync using Group Managed serviceaccount (GMSA) - Export enc keys

0 additional answers

Your answer