Product: PowerShell Universal
Version: 3.1.4
Hey PSU folks,
I’ve been running PSU for about a year now. Installing from MSI and running under a service account without any issues. My Security Team would like me to use gMSA account for running PSU vs a service account. After browsing the forums and seeing people running the service as a gMSA account, I’m trying to get that in place. I’ve created the gMSA, installed on the PSU server, and tested it can be used from the server.
At this point I set the PowerShellUniversal service to run as the gMSA account, and it accepts the account; this grants it the Log on as a Service right. I’ve also added the gMSA account to the Local Administrators group. However, restarting the service (and rebooting) does not work. The service keeps failing with an error related to the cert.
Description: The process was terminated due to an unhandled exception.
Exception Info: System.InvalidOperationException: The requested certificate *.domain.com could not be found in LocalMachine/My with AllowInvalid setting: False.
I’ve tried adding the gMSA account Full Access to the cert’s Private Key. I’ve added additional Local User Rights of Adjust memory quotas for a process (Admins group already there), and Replace a process level token. However, restarting and rebooting still gives the same error.
I’ve rolled back the gMSA account so the service is using the service account, restarted the service, and everything works again.
To note, this is my Kestrel settings in appsettings.json. And as mentioned, everything with the cert works with a service account, just not the gMSA account.
"Kestrel": {
"Endpoints": {
"HTTP": {
"Url": "http://*:80"
},
"HTTPS": {
"Url": "https://*:443",
"Certificate": {
"Subject": "*.<domain>.com",
"Store": "My",
"Location": "LocalMachine"
}
}
},
"RedirectToHttps": "true"
},
Any ideas of what I need to do so my gMSA account can find and read the cert, so the service will start?
Thanks,
Rob