---
title: Running a standalone LDAP gateway as a Windows service using a gMSA
description: Group Managed Service Accounts (gMSAs) automatically rotate passwords on a recurring basis. Running a standalone Lightweight Directory Access Protocol (LDAP) gateway using a gMSA includes the following benefits:
component: pingone
page_id: pingone:integrations:p1_running_standalone_ldap_gateway_gmsa
canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_running_standalone_ldap_gateway_gmsa.html
section_ids:
  goals: Goals
  what-youll-do: What you'll do
  before-you-begin: Before you begin
  tasks: Tasks
  setting-up-a-gmsa: Setting up a gMSA
  steps: Steps
  installing-the-ldap-gateway-as-a-windows-service: Installing the LDAP gateway as a Windows service
  steps-2: Steps
  running-the-ldap-gateway-as-a-service-with-the-gmsa: Running the LDAP gateway as a service with the gMSA
  steps-3: Steps
  validation: Validation
---

# Running a standalone LDAP gateway as a Windows service using a gMSA

Group Managed Service Accounts (gMSAs) automatically rotate passwords on a recurring basis. Running a standalone Lightweight Directory Access Protocol (LDAP) *(tooltip: \<div class="paragraph">
\<p>An open, cross platform protocol used for interacting with directory services.\</p>
\</div>)* gateway using a gMSA includes the following benefits:

* Provides distinct network identity

* Reduces password expiration-related downtime by offloading password management onto Windows

* Improves security by reducing password expiration-related downtime

* Simplifies multi-server cluster or farm deployments by allowing authorized hosts to share the single managed account

* Reduces administrative overhead

Learn more about gMSAs in the [Group Managed Service Accounts overview](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/group-managed-service-accounts-overview) in the Microsoft documentation.

## Goals

After completing this use case, you'll know how to:

* Set up a gMSA.

* Install and run an LDAP gateway as a Windows service using a gMSA.

## What you'll do

In this use case, you'll learn how to set up a gMSA in Windows and use it to run a standalone LDAP gateway as a service.

* In Windows, from a domain controller within Active Directory (AD), you'll create, install, and verify a gMSA.

* In Windows, you'll:

  1. Install an LDAP gateway as a Windows service

  2. Run the LDAP gateway using a gMSA

## Before you begin

* Set up an LDAP gateway. Learn more in [Setting up an LDAP gateway](p1_gateways_overview.html).

* Install Java 21 LTS on the computer that will run the gateway.

* Create a `JAVA_HOME` system environment variable that points to the directory that contains the`bin` directory from the Java distribution.

* Find the [prerequisites for managing a gMSA](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/manage-group-managed-service-accounts?tabs=aduc#prerequisites) in the Microsoft documentation.

## Tasks

### Setting up a gMSA

Create, install, and verify a gMSA from a domain controller using a few commands.

|   |                                                                                                                                                                                                                        |
| - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | The gMSA is a separate account defined in AD. The gMSA account can't be the same account used for **Bind DN** and **Service Account User Principal Name** when you [added the LDAP gateway](p1_add_ldap_gateway.html). |

#### Steps

1. From a domain controller within the AD, use the `New-ADServiceAccount` command to create the gMSA.

   For example:

   ```powershell
   New-ADServiceAccount -Name "MyGMSA" -DNSHostName "myhost.example.com" -PrincipalsAllowedToRetrieveManagedPassword "myhost$"
   ```

   |   |                                                                                                                                                                                                                                                                                                                      |
   | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | You can find a full list of the properties you can set in the [Microsoft documentation](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/manage-group-managed-service-accounts?tabs=aduc#create-group-managed-service-accounts). |

2. Install the gMSA on the host machine specified when you created the gMSA using `Install-ADServiceAccount`.

   For example:

   ```powershell
   Install-ADServiceAccount -Identity 'MyGMSA'
   ```

3. To verify the gMSA, run `Test-ADServiceAccount -Identity 'MyGMSA'` should return `true`.

### Installing the LDAP gateway as a Windows service

#### Steps

1. On the target Windows-based computer (typically a member server in an AD domain), use the `install-service` script to install the LDAP gateway client as a Windows service.

   1. Extract `pingone-ldap-gateway-<version>.zip`.

   2. Go to **pingone-ldap-gateway-\<version> > bin > windows**.

   3. Run the `install-service.bat`file to install the LDAP gateway client application as a service.

2. Ensure the LDAP gateway client application is installed in a neutral directory, such as `C:\Program Files\Ping Identity\`.

3. Right-click **LDAP gateway folder** and then click **Properties > Security**.

4. In the **Group or user names** section, go **Edit > Add > Advanced > Object Types**.

5. Select the **Service Accounts** checkbox.

   * Click **OK** and then **Find Now**.

6. Click your gMSA.

7. Click **OK** and then click **OK**.

8. Grant the gMSA account full control of the `LDAP gateway` folder.

### Running the LDAP gateway as a service with the gMSA

#### Steps

1. On the same target Windows-based computer, search for `Services` and launch it.

2. In the **Service** application, find the LDAP gateway in the list.

3. Right-click **LDAP gateway** and then click **Properties > Log On**.

4. Go to **Log on as > This account > Browse > Advanced > Find Now**, and select the gMSA.

5. Clear the **Password** fields and click **OK**.

6. Search for `Local Security Policy` and launch it.

7. Go to **Local Policy > User Rights Assignment** and grant the gMSA **Log on as a service** permission.

8. In the **Service** application, go to **Service** and start the PingOne LDAP Gateway service.

## Validation

[Verify a gateway instance](p1_verifying_gateway_instance_ldap.html).