Running a standalone LDAP gateway as a Windows service using a gMSA
Group Managed Service Accounts (gMSAs) automatically rotate passwords on a recurring basis. Running a standalone Lightweight Directory Access Protocol (LDAP) gateway using a gMSA includes the following benefits:
-
Provides distinct network identity
-
Reduces password expiration-related downtime by offloading password management onto Windows
-
Improves security by reducing password expiration-related downtime
-
Simplifies multi-server cluster or farm deployments by allowing authorized hosts to share the single managed account
-
Reduces administrative overhead
Learn more about gMSAs in the Group Managed Service Accounts overview in the Microsoft documentation.
Goals
After completing this use case, you’ll know how to:
-
Set up a gMSA.
-
Install and run an LDAP gateway as a Windows service using a gMSA.
What you’ll do
In this use case, you’ll learn how to set up a gMSA in Windows and use it to run a standalone LDAP gateway as a service.
-
In Windows, from a domain controller within Active Directory (AD), you’ll create, install, and verify a gMSA.
-
In Windows, you’ll:
-
Install an LDAP gateway as a Windows service
-
Run the LDAP gateway using a gMSA
-
Before you begin
-
Set up an LDAP gateway. Learn more in Setting up an LDAP gateway.
-
Install Java 21 LTS on the computer that will run the gateway.
-
Create a
JAVA_HOMEsystem environment variable that points to the directory that contains thebindirectory from the Java distribution. -
Find the prerequisites for managing a gMSA in the Microsoft documentation.
Tasks
Setting up a gMSA
Create, install, and verify a gMSA from a domain controller using a few commands.
|
The gMSA is a separate account defined in AD. The gMSA account can’t be the same account used for Bind DN and Service Account User Principal Name when you added the LDAP gateway. |
Steps
-
From a domain controller within the AD, use the
New-ADServiceAccountcommand to create the gMSA.For example:
New-ADServiceAccount -Name "MyGMSA" -DNSHostName "myhost.example.com" -PrincipalsAllowedToRetrieveManagedPassword "myhost$"
You can find a full list of the properties you can set in the Microsoft documentation.
-
Install the gMSA on the host machine specified when you created the gMSA using
Install-ADServiceAccount.For example,
Install-ADServiceAccount -Identity 'MyGMSA' -
To verify the gMSA, run
Test-ADServiceAccount -Identity 'MyGMSA'should returntrue.
Installing the LDAP gateway as a Windows service
Steps
-
On the target Windows-based computer (typically a member server in an AD domain), use the
install-servicescript to install the LDAP gateway client as a Windows service.-
Extract
pingone-ldap-gateway-<version>.zip. -
Go to pingone-ldap-gateway-<version> > bin > windows.
-
Run the
install-service.batfile to install the LDAP gateway client application as a service.
-
-
Ensure the LDAP gateway client application is installed in a neutral directory, such as
C:\Program Files\Ping Identity\. -
Right-click LDAP gateway folder and then click Properties > Security.
-
In the Group or user names section, go Edit > Add > Advanced > Object Types.
-
Select the Service Accounts checkbox.
-
Click OK and then Find Now.
-
-
Click your gMSA.
-
Click OK and then click OK.
-
Grant the gMSA account full control of the
LDAP gatewayfolder.
Running the LDAP gateway as a service with the gMSA
Steps
-
On the same target Windows-based computer, search for
Servicesand launch it. -
In the Service application, find the LDAP gateway in the list.
-
Right-click LDAP gateway and then click Properties > Log On.
-
Go to Log on as > This account > Browse > Advanced > Find Now, and select the gMSA.
-
Clear the Password fields and click OK.
-
Search for
Local Security Policyand launch it. -
Go to Local Policy > User Rights Assignment and grant the gMSA Log on as a service permission.
-
In the Service application, go to Service and start the PingOne LDAP Gateway service.