Version

All Versions of Argent Omega

Date

Thursday, 14 September 2023

Summary

This document will tell you how to configure Argent Omega to use gMSA account for authentication across multiple servers in a monitored environment

Technical Background

The group Managed Service Account (gMSA) provides automatic password management and extends that functionality over multiple servers

When you use a gMSA as a service account, the Windows operating system manages the password for the account instead of relying on the administrator to manage the password

Resolution

To set up gMSA account follow instruction from Microsoft https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts

Here is a Link to our KBI Article about setting up gSMA: https://help.argent.com/kbi/kbi-311918-how-to-create-group-management-service-account-gmsa/kbi-311918-how-to-create-group-management-service-account-gmsa/

Verify the gMSA account is also in the local administration group for the machines you want to monitor

Verify the gMSA account also has access to the Argent Omega SQL database (see below on how to create access)

To setup Argent with a gMSA account during the install process place a check in the box “Use Managed Service Account”

After checking the “Use Managed Service Account” box the “Service Account” field should auto populate with your gMSA accounts.

Select the gMSA account and click the “Next” button to continue the installation process

To add gMSA account to a SQL database open SQL Server Management Studio and connect to the instance of SQL running the Argent Omega Database

In the left-hand tree expand out “Security” and right click on “Login” and select “New Login”

In the “Login – New” window click on “Search” button

In the “Select User or Service Account” window verify the field “From this location:” is populated with “Entire Directory” then click on the “Object Types…” button

Make sure both “Users” and “Service Accounts” are selected then click “OK” to close “Object Types” window

Enter the name of the gMSA account and click “Check Names” to verify
Click “OK” to close the “Select User or Service Account” window

Back on the “Login – New” screen, set Default database to Argent Omega database

Select “Server Roles” in the left-hand column and make sure “sysadmin” has a check next to it

Select “User Mapping” in the left-hand column
Select the Argent Omega database and type “dbo” as the default schema
Check “db_datareader”, “db_datawriter” and “db_owner”
Click “OK” to close the “Login – New” window

gMSA account now has access to Argent Omega database

If you are switching from a normal domain account to a gMSA account after the install is complete you need to change the account running the Argent Omega Service

To switch the account running the Argent Omega Service hit Windows Key + R and in the “Run” box type in “services.msc”

In the list of services find “Argent Omega”

Right click on “Argent Omega” service and select “Properties”
In the “Argent Omega Properties” window click on the “Log On” tab
Click on the “Browse” button

In the “Select User or Service Account” window verify the “From this location:” is populated with “Entire Directory” then click on the “Object Types…” button

Make sure both “Users” and “Service Accounts” are selected then click “OK” to close “Object Types” window

Enter the name of the gMSA account and click “Check Names” to verify
Click “OK” to close the “Select User or Service Account” window
Click “OK” to close the “Argent Omega Properties” window
Restart the service.
Windows is now using gMSA account to run Argent Omega service

For further assistance, please contact Argent on Instant Help at
https://Instanthelp.Argent.com/