Run a service as a group Managed Service Account
On a Windows Server standalone cluster, you can run a service as a group managed service account (gMSA) using a RunAs policy. By default, Service Fabric applications run under the account that the Fabric.exe
process runs under. Running applications under different accounts, even in a shared hosted environment, makes them more secure from one another. By using a gMSA, there is no password or encrypted password stored in the application manifest. You can also run a service as an Active Directory user or group.
The following example shows how to create a gMSA account called svc-Test$, how to deploy that managed service account to the cluster nodes, and how to configure the user principal.
Note
Using a gMSA with a standalone Service Fabric cluster requires Active Directory on-premises within your domain (rather than Microsoft Entra ID).
Pre-requisites:
- The domain needs a KDS root key.
- There must be at least one Windows Server 2012 (or R2) DC in the domain.
Have an Active Directory domain administrator create a group-managed service account using the
New-ADServiceAccount
cmdlet and ensure that thePrincipalsAllowedToRetrieveManagedPassword
includes all of the Service Fabric cluster nodes.AccountName
,DnsHostName
, andServicePrincipalName
must be unique.New-ADServiceAccount -name svc-Test$ -DnsHostName svc-test.contoso.com -ServicePrincipalNames http/svc-test.contoso.com -PrincipalsAllowedToRetrieveManagedPassword SfNode0$,SfNode1$,SfNode2$,SfNode3$,SfNode4$
On each of the Service Fabric cluster nodes (for example,
SfNode0$,SfNode1$,SfNode2$,SfNode3$,SfNode4$
), install and test the gMSA.Add-WindowsFeature RSAT-AD-PowerShell Install-AdServiceAccount svc-Test$ Test-AdServiceAccount svc-Test$
Configure the User principal, and configure the
RunAsPolicy
to reference the User.<?xml version="1.0" encoding="utf-8"?> <ApplicationManifest xmlns:xsd="https://www.w3.org/2001/XMLSchema" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" ApplicationTypeName="MyApplicationType" ApplicationTypeVersion="1.0.0" xmlns="http://schemas.microsoft.com/2011/01/fabric"> <ServiceManifestImport> <ServiceManifestRef ServiceManifestName="MyServiceTypePkg" ServiceManifestVersion="1.0.0" /> <ConfigOverrides /> <Policies> <RunAsPolicy CodePackageRef="Code" UserRef="DomaingMSA"/> </Policies> </ServiceManifestImport> <Principals> <Users> <User Name="DomaingMSA" AccountType="ManagedServiceAccount" AccountName="domain\svc-Test$"/> </Users> </Principals> </ApplicationManifest>
Note
If you apply a RunAs policy to a service and the service manifest declares endpoint resources with the HTTP protocol, you must specify a SecurityAccessPolicy. For more information, see Assign a security access policy for HTTP and HTTPS endpoints.
The following articles will guide you through next steps:
प्रतिक्रिया
https://aka.ms/ContentUserFeedback.
जल्द आ रहा है: 2024 के दौरान हम सामग्री के लिए फीडबैक तंत्र के रूप में GitHub मुद्दों को चरणबद्ध तरीके से समाप्त कर देंगे और इसे एक नई फीडबैक प्रणाली से बदल देंगे. अधिक जानकारी के लिए, देखें:के लिए प्रतिक्रिया सबमिट करें और देखें