I'm trying to solve a conundrum for my DBAs and developers. We have an application that is running under a gMSA (group managed service account) identity. This application needs to access a SQL database, and we prefer to grant access by using groups whenever possible. However, when adding the gMSA to a security group that has access to the DB, SQL Server is unable to resolve the account as a member of the group. Here's the kicker: when the gMSA is added directly to the DB permissions, it works flawlessly. Are there any restrictions around nesting gMSAs in security groups that I am not aware of?
Asked
Active
Viewed 918 times
1
-
Has the gMSA logged off and logged back on again since the group membership change? – Semicolon Jun 04 '19 at 18:40
-
I don't know. Is the AD group marked as a security group? Also, can you talk more about there preference to Grange permissions to groups? Like, could you accomplish a similar thing by using roles in the database? – Ben Thul Jun 07 '19 at 13:59
-
Have you tried restarting the application that connects to the SQL server? – Shiroy Apr 07 '21 at 22:04
-
Old, but yes, the identity and the Kerberos ticket of the gMSA and client server were both reset by restarting that server. – SamErde Apr 09 '21 at 15:15
-
Managing permissions via groups makes it easier to track, manage, and audit them in one place (AD). – SamErde Apr 09 '21 at 15:16