PingFederate Server

Configuring a secret manager for Windows gMSA

Configure a secret manager instance to use group Managed Service Account (gMSA) credentials in Kerberos realms when running PingFederate on Windows.

Before you begin

  • The Kerberos realms must be configured with the Direct connection type. Learn more in Adding Active Directory domains and Kerberos realms.

  • PingFederate must be running on Windows and configured in one of the following ways to be able to fetch the gMSA credentials:

    • If you start PingFederate by running the run.bat script, then the user account logged in and running the script must have access to the gMSA password.

    • If PingFederate is running as a service under the local system account, which is the default when installing PingFederate as a service, then the machine running PingFederate must have access to the gMSA password.

    • If PingFederate is running as a service under another account, such as a service account or another gMSA account, then the account that PingFederate is running under must have access to the gMSA password.

      The gMSA can’t retrieve its own credentials. If you want to use gMSAs to run PingFederate, and also as the service account used in the Kerberos realm configuration, you must use two different accounts. In that case, the gMSA account used to run PingFederate as a service must have permission to manage the Kerberos gMSA’s password.

Having access to the gMSA password means the user or machine running PingFederate must be included in the gMSA’s PrincipalsAllowedToRetrieveManagedPassword attribute. Learn more in Running PingFederate as a service using a gMSA on Windows.

Steps

  1. In the PingFederate admin console, go to System > External Systems > Secret Managers.

  2. Click Create New Instance.

Type tab

  1. In the Instance Name field, enter a name for this secret manager instance.

  2. In the Instance ID field, enter an ID for this instance.

    The instance ID must be unique. It’s used to generate the secret reference.

  3. In the Type list, select Windows gMSA.

  4. (Optional) Select an instance in the Parent Instance list.

  5. Click Next.

Instance Configuration tab

  1. In the Domain Name field, enter a fully-qualified Active Directory domain where the gMSA account resides.

    This is a top-level domain like example.com.

  2. In the Domain Controller field, enter the fully-qualified hostname of the Active Directory Domain Controller to connect to.

    The following command returns a list of fully-qualified Domain Controller names:

    Get-ADDomainController -filter * | Select-Object HostName

  3. Select the Connection Security type to use when connecting to the Active Directory Domain Controller.

    Choose from:

    • LDAP transmits data using port 389 by default. This option encrypts only the payload.

    • LDAPS transmits data using port 636 by default. The option encrypts the entire interaction.

      If you select LDAPS, you must import a Domain Controller’s certificate if your certificate is self-signed. You can import a certificate using the Trusted Certificate Authorities menu.

  4. (Optional) Click Show Advanced Fields.

  5. (Optional) In the LDAP Port field, enter a port number to use for transmitting LDAP or LDAPS data.

  6. (Optional) In the Cache Lifetime (Days) field, enter the number of days to retain retrieved gMSA credentials. The default value is 1. Enter -1 to retain credentials until their secret is rotated. Enter 0 to disable caching.

    The credentials cache expires when its lifetime is reached, or Active Directory rotates the password (whichever occurs first).

  7. Click Next or Save.

Actions tab

  1. (Optional) Click Test Configuration to test the secret manager connection to your gMSA.

  2. In the Account Name field, enter the gMSA’s username. This is the name you defined using the New-ADServiceAccount command when you created the gMSA. Learn more in Running PingFederate as a service using a gMSA on Windows.

  3. Click Generate to generate a secret reference.

  4. Copy the generated Result Value and use it to complete your Kerberos configuration. This value is used as the Domain/Realm Password Reference when configuring your Kerberos realm. Learn more in Adding Active Directory domains and Kerberos realms.

  5. Click Next or Save.

Summary tab

  1. Review your configuration and click Save.