---
title: Configuring a secret manager for Windows gMSA
description: Configure a secret manager instance to use group Managed Service Account (gMSA) credentials in Kerberos realms when running PingFederate on Windows.
component: pingfederate
version: 13.0
page_id: pingfederate:administrators_reference_guide:pf_configuring_secret_manager_windows_gmsa
canonical_url: https://docs.pingidentity.com/pingfederate/13.0/administrators_reference_guide/pf_configuring_secret_manager_windows_gmsa.html
section_ids:
  before-you-begin: Before you begin
  steps: Steps
  type-tab: Type tab
  instance-configuration-tab: Instance Configuration tab
  choose-from: Choose from:
  actions-tab: Actions tab
  summary-tab: Summary tab
---

# Configuring a secret manager for Windows gMSA

Configure a secret manager instance to use group Managed Service Account (gMSA) credentials in Kerberos realms when running PingFederate on Windows.

## Before you begin

* The Kerberos realms must be configured with the **Direct** connection type. Learn more in [Adding Active Directory domains and Kerberos realms](pf_adding_active_directory_domains_kerberos_realms.html).

* PingFederate must be running on Windows and configured in one of the following ways to be able to fetch the gMSA credentials:

  * If you start PingFederate by running the `run.bat` script, then the user account logged in and running the script must have access to the gMSA password.

  * If PingFederate is running as a service under the local system account, which is the default when installing PingFederate as a service, then the machine running PingFederate must have access to the gMSA password.

  * If PingFederate is running as a service under another account, such as a service account or another gMSA account, then the account that PingFederate is running under must have access to the gMSA password.

    |   |                                                                                                                                                                                                                                                                                                                                             |
    | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
    |   | The gMSA can't retrieve its own credentials. If you want to use gMSAs to run PingFederate, and also as the service account used in the Kerberos realm configuration, you must use two different accounts. In that case, the gMSA account used to run PingFederate as a service must have permission to manage the Kerberos gMSA's password. |

|   |                                                                                                                                                                                                                                                                                                                                      |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | Having access to the gMSA password means the user or machine running PingFederate must be included in the gMSA's `PrincipalsAllowedToRetrieveManagedPassword` attribute. Learn more in [Running PingFederate as a service using a gMSA on Windows](../installing_and_uninstalling_pingfederate/pf_run_pf_service_gmsa_windows.html). |

## Steps

1. In the PingFederate admin console, go to **System > External Systems > Secret Managers**.

2. Click **Create New Instance**.

### Type tab

3. In the **Instance Name** field, enter a name for this secret manager instance.

4. In the **Instance ID** field, enter an ID for this instance.

   The instance ID must be unique. It's used to generate the secret reference.

5. In the **Type** list, select **Windows gMSA**.

6. (Optional) Select an instance in the **Parent Instance** list.

7. Click **Next**.

### Instance Configuration tab

8. In the **Domain Name** field, enter a fully-qualified Active Directory domain where the gMSA account resides.

   This is a top-level domain like `example.com`.

9. In the **Domain Controller** field, enter the fully-qualified hostname of the Active Directory Domain Controller to connect to.

   The following command returns a list of fully-qualified Domain Controller names:

   ```
   Get-ADDomainController -filter * | Select-Object HostName
   ```

10. Select the **Connection Security** type to use when connecting to the Active Directory Domain Controller.

    ### Choose from:

    * **LDAP** transmits data using port 389 by default. This option encrypts only the payload.

    * **LDAPS** transmits data using port 636 by default. The option encrypts the entire interaction.

      |   |                                                                                                                                                                                                                                                               |
      | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
      |   | If you select **LDAPS**, you must import a Domain Controller's certificate if your certificate is self-signed. You can import a certificate using the [Trusted Certificate Authorities](help_certmanagementtasklet_trustedcas_certmanagementstate.html) menu. |

11. (Optional) Click **Show Advanced Fields**.

12. (Optional) In the **LDAP Port** field, enter a port number to use for transmitting LDAP or LDAPS data.

13. (Optional) In the **Cache Lifetime (Days)** field, enter the number of days to retain retrieved gMSA credentials. The default value is `1`. Enter `-1` to retain credentials until their secret is rotated. Enter `0` to disable caching.

    |   |                                                                                                                                |
    | - | ------------------------------------------------------------------------------------------------------------------------------ |
    |   | The credentials cache expires when its lifetime is reached, or Active Directory rotates the password (whichever occurs first). |

14. Click **Next** or **Save**.

### Actions tab

15. (Optional) Click **Test Configuration** to test the secret manager connection to your gMSA.

16. In the **Account Name** field, enter the gMSA's username. This is the name you defined using the `New-ADServiceAccount` command when you created the gMSA. Learn more in [Running PingFederate as a service using a gMSA on Windows](../installing_and_uninstalling_pingfederate/pf_run_pf_service_gmsa_windows.html).

17. Click **Generate** to generate a secret reference.

18. Copy the generated **Result Value** and use it to complete your Kerberos configuration. This value is used as the **Domain/Realm Password Reference** when configuring your Kerberos realm. Learn more in [Adding Active Directory domains and Kerberos realms](pf_adding_active_directory_domains_kerberos_realms.html).

19. Click **Next** or **Save**.

### Summary tab

20. Review your configuration and click **Save**.