You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We recently went through an installation of KeyFactor in our environment and we heavily utilize gMSAs where possible instead of static service accounts. When going through the documentation of KeyFactor - certain verbiage within the install documentation led us to believe that we would be able to utilize a gMSA for the Orchestrators and that if we configured a Certificate Store without credentials, that the service account that the Orchestrator would be utilized instead.
Minus some initial hiccups regarding the installation of the Universal Orchestrator - we were able to get the service to run under the gMSA without issue. However - we've been unable to get this Extension to run under the gMSA context, even with us providing the password via the API (probably some issue with the Byte Blob > Unicode > Encryption methodology).
When deciding to gander through the source code of the extension - it seems pretty simple to incorporate the Service Account usage by simply not providing a Credential. I went ahead and tested this in our own environment by cloning this repo and checking for a new Boolean value that I added in the Certificate Store config in command. If this checkbox is there, it won't create the Credential object and I was able to successful Add/Remove/Inventory the certificate store without issue.
What I did was a pretty easy hack job if (!storePath.UseServiceAccount) { var pw = new NetworkCredential(config.ServerUsername, config.ServerPassword) .SecurePassword; _logger.LogTrace($"Credentials: UserName:{config.ServerUsername} Password:{config.ServerPassword}"); connInfo.Credential = new PSCredential(config.ServerUsername, pw); _logger.LogTrace($"PSCredential Created {pw}"); }
Let me know if you would like me to add some more polish to this and perform a PR. Right now this - the user experience of this is still a little lacking - as I'm still required to put in dummy credential information when I create the Certificate Store - but this doesn't appear to be handled by the extension and instead is handled by Command itself - source code I do not have access to. In my opinion the requirement for credentials should also be able to be defined within the Certificate Store configuration.
The text was updated successfully, but these errors were encountered:
We recently went through an installation of KeyFactor in our environment and we heavily utilize gMSAs where possible instead of static service accounts. When going through the documentation of KeyFactor - certain verbiage within the install documentation led us to believe that we would be able to utilize a gMSA for the Orchestrators and that if we configured a Certificate Store without credentials, that the service account that the Orchestrator would be utilized instead.
Minus some initial hiccups regarding the installation of the Universal Orchestrator - we were able to get the service to run under the gMSA without issue. However - we've been unable to get this Extension to run under the gMSA context, even with us providing the password via the API (probably some issue with the Byte Blob > Unicode > Encryption methodology).
When deciding to gander through the source code of the extension - it seems pretty simple to incorporate the Service Account usage by simply not providing a Credential. I went ahead and tested this in our own environment by cloning this repo and checking for a new Boolean value that I added in the Certificate Store config in command. If this checkbox is there, it won't create the Credential object and I was able to successful Add/Remove/Inventory the certificate store without issue.
What I did was a pretty easy hack job
if (!storePath.UseServiceAccount) { var pw = new NetworkCredential(config.ServerUsername, config.ServerPassword) .SecurePassword; _logger.LogTrace($"Credentials: UserName:{config.ServerUsername} Password:{config.ServerPassword}"); connInfo.Credential = new PSCredential(config.ServerUsername, pw); _logger.LogTrace($"PSCredential Created {pw}"); }Let me know if you would like me to add some more polish to this and perform a PR. Right now this - the user experience of this is still a little lacking - as I'm still required to put in dummy credential information when I create the Certificate Store - but this doesn't appear to be handled by the extension and instead is handled by Command itself - source code I do not have access to. In my opinion the requirement for credentials should also be able to be defined within the Certificate Store configuration.
The text was updated successfully, but these errors were encountered: