How can I get a Managed Service Account to use internet proxy settings from Group Policy?

Question

I have a service running on a Windows 2012 R2 domain member server that requires internet access. The service is configured to run under a Managed Service Account and the account is granted local administrator priveliges on the domain member. Group Policy Preferences are used to configure the web proxy settings for all users and the relevant group policy is linked at the domain top level.

The managed service account exists in the default container for such accounts under the top level, however it does not seem to get these settings applied to it's registry hive under HKEY_USERS, and manually adding the settings to the relevant hive does not seem to have any effect either. How can I apply proxy settings to a managed service account in the same fashion as any other normal domain account?

We have the same problem it seems. Specifically we need this for ADFS. Did you ever find a solution to this? — the4thamigo_uk, Feb 01 '18 at 12:23
No solution to date, we are still using a standard user account with a fixed but strong password unfortunately. — Earl Sven, May 16 '18 at 13:09

score 1 · Answer 1 · answered Feb 01 '19 at 18:59

1

Policies don't really apply to services because they don't have an interactive login. There are exception like a password policy, but that is because the policy is actually being applied to the DC.

My guess is you have logged into the server at some point with the OLD credential, and that is why there is a profile and a policy applied to that profile.

If your needing the service to use specific networking settings, you will need to apply those settings to the actual server since a service login normally does not have a full profile established for it.

answered Feb 01 '19 at 18:59

J. DuBois

41
2

Would manually applying the settings through the 'proxy' configuration page on internet explorer affect services as this is a user setting?If I used netsh to apply the settings would this apply to a service running as an MSA? – Earl Sven Feb 18 '19 at 16:16
Again, it may or may not. The issue is the service, when launched, doesn't have a full profile loaded, so it may never connect those IE setting with it's own process (that is, unless the process is smart enough to look -- which if it was, it would also likely have it's own optional settings in it's own config), then the process will never know (nor will the OS) that data should go via the proxy. Do you have an option on your firewall to allow the traffic thru as NAT instead of Proxy? – J. DuBois Feb 28 '19 at 16:27
Unfortunately not, I am required for security reasons to route the traffic through the web proxy so it can be 'inspected'. – Earl Sven Apr 03 '19 at 10:53
Does your proxy server have an agent that can run on the server to capture the traffic? – J. DuBois Apr 04 '19 at 15:07

How can I get a Managed Service Account to use internet proxy settings from Group Policy?

1 Answers1