Concept
When installing the Quickpass Agent on a Domain Controller, an option to install using a Custom Managed Service Account (MSA) can be utilized, via the GUI or Scripted installation.
Manual/GUI Installation
Scripted/Automatic Installation
Using a Managed Service account may be required in cases where the "Local System" account does not have privileges to access or change Active Directory information. If the Quickpass Agent was originally installed with the option to use the "Local System" account, a PowerShell script has been developed that will assist you in changing the account to an MSA.
https://support.getquickpass.com/hc/en-us/articles/7794441426839-Changing-from-Local-System-to-Managed-Service-Account-for-the-Quickpass-Service
Indicators
Some MSP Partners/IT Support teams, may notice an error during the installation or change from "Local System" to MSA.
Symptoms include:
- Unable to Start Service
- Installation Failed due Service not starting.
- Repeated attempts to "Retry" starting the service failing during Manual/GUI installation.
- The PowerShell script to change from "Local System" to MSA completes, but the Service will not start.
- Usually this is accompanied by a message indicating that the Service did not start and to check if Permissions to start a Service are permitted.
- Additional Errors may indicate that the Account Password for the MSA is incorrect.
Diagnosis
- Log onto the Domain Controller as an Administrative account.
- Open the Local Policy Management Console
- For Domain Controllers, these values are managed by Group Policy - this screen will just allow you to determine IF a Policy is the cause.
- Expand the Security Settings Screen
- Expand Local Policies
- Expand User Rights Assignment
- Find on the list the "Log on as a Service" Policy.
- Double click on the Policy to see the list of Accounts/Groups that have been given permissions to start Services.
- This list will either be the default values (to allow all) or will have a list of accounts that have permission to start a Service.
- If there are values here that do NOT include the MSA account you will need to add those to the Group Policy
- You can find the name of the Quickpass MSA account by looking at the ADUAC Console and checking the Container named "Managed Service Accounts"
- You can find the name of the Quickpass MSA account by looking at the ADUAC Console and checking the Container named "Managed Service Accounts"
Resolution
- Open the Group Policy Management Console
- Expand the Group Policy objects linked and enabled for the Domain.
- The most common Group Policy objects that these will be added to are the Default Domain Policy or the Default Domain Controllers Policy. However a separate Group Policy may have these settings so you may have to scan through multiple GPOs to find the correct one (as shown in this screenshot)
- The most common Group Policy objects that these will be added to are the Default Domain Policy or the Default Domain Controllers Policy. However a separate Group Policy may have these settings so you may have to scan through multiple GPOs to find the correct one (as shown in this screenshot)
- When you find the existing GPO that is limiting the Log on as a Service to specific groups, edit that Policy.
- Expand the Computer Configuration
- Expand Policies
- Expand Windows Settings
- Expand Security Settings
- Expand Local Policies
- Click on User Rights Assignment
- Find the Log on as a Service Policy on the list and Double Click
- The list here should match what you found on the Local Policy display.
- To add the Quickpass MSA for each Domain Controller (each DC will have it's own) click the "Add User or Group" button.
- If you know the name of the MSA account you can add them here by typing and selecting OK or you can click Browse
- Clicking on Advanced will show you an additional Dialogue box that will allow you to search
- Select the "Locations" button
- Expand the Domain and find the Managed Service Accounts Container
- Select that Container and click OK
- Click Find Now
- A list of accounts that exist in that Container will be populated in the lower portion.
- Find the Managed accounts that start with "Quickpass-" or whatever name you manually specified when running the PowerShell script to change from Local System to MSA.
- Select all of these MSA accounts and select OK
- The accounts will appear in the Object names to select and click OK
- The Add User or Group Dialogue box will show those names again (with a "$" at the end to indicate they are MSA accounts) - Click OK
- The updated list of "Log on as a Service" accounts will be populated. - Click OK again to accept the values.
- Select all of these MSA accounts and select OK
- Find the Log on as a Service Policy on the list and Double Click
- Close the GPO Editor screen.
- Expand the Group Policy objects linked and enabled for the Domain.
- Launch a Command Prompt/PowerShell console as Administrator
- Run "gpupdate /force" multiple times (we've seen it take as many as 5 times, or even a full Domain Controller reboot, before it comes into effect)
- Attempt to start the Quickpass Server Agent Service.
- If the service starts, confirm that it appears as Online on the Customer's Agent list on the QP Dashboard.
- If the service does NOT start and you get a similar message to the prior one, ensure that the Local Security Policy now shows the updated list of accounts that can Log on as a Service.
Note: You may have to close and reopen the Local Security Policy Console to see the updated information.
- If the Local Security Policy Console has not updated with the new account information noted above, this may mean that a Domain replication challenge may exist with your customer's environment or that the GPO that you modified may have some other restrictions causing it to not be applied to the Domain Controller. Do some additional investigation to determine if either of these are the cause.
Comments
0 comments
Please sign in to leave a comment.