---
title: Running PingFederate as a service using a gMSA on Windows
description: You can run PingFederate as a service using a group Managed Service Account (gMSA) on Windows. gMSAs automatically rotate passwords on a recurring basis. This improves security and reduces password expiration-related downtime by offloading password management onto Windows. gMSAs provide distinct network identity for services. This enables granular, least-privilege access controls on resources, and simplifies multi-server cluster or farm deployments by allowing authorized hosts to share the single managed account. Compared to traditional user or built-in accounts, gMSAs reduce administrative overhead and strengthen the overall security posture for applications running on a Windows Server.
component: pingfederate
version: 13.0
page_id: pingfederate:installing_and_uninstalling_pingfederate:pf_run_pf_service_gmsa_windows
canonical_url: https://docs.pingidentity.com/pingfederate/13.0/installing_and_uninstalling_pingfederate/pf_run_pf_service_gmsa_windows.html
section_ids:
  before-you-begin: Before you begin
  setting-up-the-gmsa: Setting up the gMSA
  steps: Steps
  example: Example:
  example-2: Example:
  example-3: Example:
  installing-pingfederate-as-a-service: Installing PingFederate as a service
  steps-2: Steps
  choose-from: Choose from:
  running-pingfederate-as-a-service-with-gmsa: Running PingFederate as a service with gMSA
---

# Running PingFederate as a service using a gMSA on Windows

You can run PingFederate as a service using a group Managed Service Account (gMSA) on Windows. gMSAs automatically rotate passwords on a recurring basis. This improves security and reduces password expiration-related downtime by offloading password management onto Windows. gMSAs provide distinct network identity for services. This enables granular, least-privilege access controls on resources, and simplifies multi-server cluster or farm deployments by allowing authorized hosts to share the single managed account. Compared to traditional user or built-in accounts, gMSAs reduce administrative overhead and strengthen the overall security posture for applications running on a Windows Server.

Learn more about gMSAs in [Group Managed Service Accounts overview](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/group-managed-service-accounts-overview) in the Windows documentation.

## Before you begin

* Java 11, 17, or 21. Check [Java requirements](pf_install_java.html) for the version of PingFederate you want to deploy.

* Find the [prerequisites for managing a gMSA](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/manage-group-managed-service-accounts?tabs=aduc#prerequisites) in the Windows documentation.

## Setting up the gMSA

## Steps

1. From a Domain Controller within the Active Directory, use the `New-ADServiceAccount` command to create the gMSA.

   ```powershell
   New-ADServiceAccount <accountName> -DNSHostName <serviceHostName> -PrincipalsAllowedToRetrieveManagedPassword <computerAccountsAbleToAccessAccount>
   ```

   ## Example:

   ```powershell
   New-ADServiceAccount PingFarm -DNSHostName pingfederate02.jones.lab -PrincipalsAllowedToRetrieveManagedPassword PINGFEDERATE02$
   ```

   Find a list of other gMSA properties you can set using the [Set-ADServiceAccount](https://learn.microsoft.com/en-us/powershell/module/activedirectory/set-adserviceaccount) command in the Windows documentation.

2. Use the `Install-ADServiceAccount` command to install the gMSA on the specified host machine.

   ## Example:

   On the `pingfederate02` machine from the previous example, you would run the following:

   ```powershell
   Install-ADServiceAccount -Identity 'PingFarm'
   ```

3. Verify the installation by running the `Test-ADServiceAccount` command.

   ### Example:

   If the connection succeeded, running the following command returns a value of `true`:

   ```powershell
   Test-ADServiceAccount -Identity 'PingFarm'
   ```

## Installing PingFederate as a service

## Steps

1. Install PingFederate as a service.

   ### Choose from:

   * Use the `.msi` installer. Learn more in [Installing PingFederate on Windows](pf_install_pf_on_windows.html).

   * Use the install-service script.

     1. Download and unzip the PingFederate `.zip` archive. Learn more in [Installing the PingFederate service on Windows manually](pf_install_pf_service_on_windows_manually.html)

     2. Run the `<pingfed_install>/pingfederate/sbin/win-x86-64/install-service.bat` file.

2. Install PingFederate to a neutral directory like `C:\Program Files\Ping Identity\`.

3. Right-click **PingFederate folder > Properties > Security**.

4. Under the **Group or user names** section, click **Edit > Add > Advanced > Object Types**.

5. Select the **Service Accounts** checkbox.

6. Click **OK**

7. Click **Find Now**.

8. Click your gMSA.

9. Click **OK > OK**.

10. Grant the gMSA account full control of the `PingFederate` folder.

## Running PingFederate as a service with gMSA

1. In Windows, search for `Services` and launch it.

2. Find PingFederate in the list.

3. Right-click **PingFederate > Properties > Log On**.

4. Under **Log on as > This account > Browse > Advanced > Find Now**, select the gMSA.

5. Clear the **Password** fields and click **OK**.

6. Search for `Local Security Policy` and launch it.

7. Click **Local Policy > User Rights Assignment** and grant the gMSA **Log on as a service** permission.

8. Go to **Services** and launch or relaunch PingFederate.