Using Group Managed Service Accounts (gMSAs)

You can use Group Managed Service Accounts (gMSA), a type of managed domain account, for both the Database Owner account and the Operational database account.

From an operational perspective, gMSA accounts offer better security than traditional service accounts. gMSA accounts extend service account functionality over multiple servers. The domain controller and Microsoft Key Distribution Service (KDC) together manage the secrets and passwords for the devices connected with a gMSA.

Because of the difficulty maintaining updated passwords across devices and services, many users of standard service accounts set the password for the service account to never expire. This poses obvious security risks, and is outside policy for many organizations. Using gMSA accounts resolves this problem, so server owners and application owners don't need to worry about password rotation.

IMPORTANT  Before using gMSAs with Venafi Platform, you need a good understanding of gMSA accounts, how they work, and how to administer them. In addition, you also need to have your gMSA account(s) setup and properly replicated before you can use them to configure Venafi Platform's connections to the database. The replication process can take a full business day before the gMSAs are available for use in a production environment.

Once your gMSA has been provisioned and replicated, you can use a gMSA for the database owner account as well as for the operational database account. Be sure you enter the account name in the following format:

<domain>\<account>$

For example, if my domain is jupiter and the gMSA account is ganymede, you would put the following for the user name:

jupiter\ganymede$

Don't forget the $ at the end of the user name. If your format is correct, the password field will become disabled.

Learn more about gMSA accounts in the Windows Server Documentation.