This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
On a Windows Server standalone cluster, you can run a service as a group managed service account (gMSA) using a RunAs policy. By default, Service Fabric applications run under the account that the Fabric.exe process runs under. Running applications under different accounts, even in a shared hosted environment, makes them more secure from one another. By using a gMSA, there is no password or encrypted password stored in the application manifest. You can also run a service as an Active Directory user or group.
The following example shows how to create a gMSA account called svc-Test$, how to deploy that managed service account to the cluster nodes, and how to configure the user principal.
Note
Using a gMSA with a standalone Service Fabric cluster requires Active Directory on-premises within your domain (rather than Microsoft Entra ID).
Pre-requisites:
Have an Active Directory domain administrator create a group-managed service account using the New-ADServiceAccount cmdlet and ensure that the PrincipalsAllowedToRetrieveManagedPassword includes all of the Service Fabric cluster nodes. AccountName, DnsHostName, and ServicePrincipalName must be unique.
New-ADServiceAccount -name svc-Test$ -DnsHostName svc-test.contoso.com -ServicePrincipalNames http/svc-test.contoso.com -PrincipalsAllowedToRetrieveManagedPassword SfNode0$,SfNode1$,SfNode2$,SfNode3$,SfNode4$
On each of the Service Fabric cluster nodes (for example, SfNode0$,SfNode1$,SfNode2$,SfNode3$,SfNode4$), install and test the gMSA.
Add-WindowsFeature RSAT-AD-PowerShell
Install-AdServiceAccount svc-Test$
Test-AdServiceAccount svc-Test$
Configure the User principal, and configure the RunAsPolicy to reference the User.
<?xml version="1.0" encoding="utf-8"?>
<ApplicationManifest xmlns:xsd="https://www.w3.org/2001/XMLSchema" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" ApplicationTypeName="MyApplicationType" ApplicationTypeVersion="1.0.0" xmlns="http://schemas.microsoft.com/2011/01/fabric">
<ServiceManifestImport>
<ServiceManifestRef ServiceManifestName="MyServiceTypePkg" ServiceManifestVersion="1.0.0" />
<ConfigOverrides />
<Policies>
<RunAsPolicy CodePackageRef="Code" UserRef="DomaingMSA"/>
</Policies>
</ServiceManifestImport>
<Principals>
<Users>
<User Name="DomaingMSA" AccountType="ManagedServiceAccount" AccountName="domain\svc-Test$"/>
</Users>
</Principals>
</ApplicationManifest>
Note
If you apply a RunAs policy to a service and the service manifest declares endpoint resources with the HTTP protocol, you must specify a SecurityAccessPolicy. For more information, see Assign a security access policy for HTTP and HTTPS endpoints.
The following articles will guide you through next steps:
Training
Module
Deploy a Microsoft Power Platform Solution By Using a Service Principal - Training
Learn how to deploy a Microsoft Power Platform solution by using a service principal.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.