Group Managed Service Accounts are used as an advanced Active Directory option for handling services across multiple machines in a Windows-based environment. By enabling these accounts for trust delegation on the SQL server, it is possible to enable trust delegation when the QueuedData folder is located on a remote folder that is not local to the SQL server for Netwitness Endpoint. Without this setting, the kernel data download for kernel encodings from the KernelData.csv file in the QueuedData folder will fail to update into the database due to a bulk insert failure on the file, causing agents in increasing numbers to display offline driver errors until this is resolved.
1. Configure an environment with DNS and Active Directory is a requirement as part of this setup 2. The QueuedData folder must be on a remote share; otherwise, there is no need to perform these steps 3. The SQL server will typically be on its own server, with the CS on a separate machine. The QueuedData folder can be located as a remote share locally on the CS machine, but will not be locally configured on the SQL server. It may also be in a separate endpoint. 4. In DNS Create the KDS root key 5. Create an AD group for the ECAT server and one for the SQL server 6. Create the two group Managed Service Accounts, the name can be anything but the setup will be consistent with the name chosen. 7. Verify the presence of the service accounts on the two target endpoint machines. Install the the AD DS and AD LDS tools if required to run the test. 8. Add the users created to the two servers as local administrators. Ensure they are local administrators 9. Set the Log On As users as the two new service accounts created in step 6 above 10. Add the two users into the SQL server as login user accounts and give them both sysadmin and bulkadmin roles 11. On the AD server, set the extended properties ONLY for the SQL service account to include trusted for delegation and set the SPN service account for the machine in question 12. Restart the SQL server services and start/restart the ECAT services 13. Verify this is working by using the consoleserverservice output window and restarting the ECAT service to confirm the RSA Live kernel download successfully pulls down the file into the database with the next kernel update message. On 220.127.116.11 this can take up to 30 minutes, on older versions may be as quick as 6 minutes.
Configuring Group Managed Service Accounts
NWE Console Server configured to connect to a database on another server(default database is ECAT$PRIMARY)
A SQL Server separate from the Console Server running the ECAT database
A remote folder/partition for the QueuedData folder. This folder can be located on the Console Server machine, but not the SQL database for these steps. Otherwise, it should be on a remote machine with the folder shared to both machines.
Active Directory and DNS with Kerberos must be configured in the environment. NOTE: All connection settings, including the address for the database that the console server is to connect to, must be using HOSTNAMES, not IP addresses for their connection settings or NTLM will be used instead of Kerberos for the connection.
The process starts with the AD server and creating the KDS root key. Not every environment will need to create one, in fact if your following these steps, chances are you won't but it needs to be verified. First, confirm the presence of the root key:
If you do not see an output like the above, you must generate a new root key on the AD server. Without this, you won't be able to generate service accounts, so Create KDS Root Key here based on one of two scenarios:
If you have a DNS environment with multiple servers that need to sync across the environment: Add-KdsRootKey -EffectiveImmediately
Wait about 10 hours for propagation across the network.
If you have a single server to update or this is being done for testing, run the alternate command to IMMEDIATELY apply this change:
Create two AD groups for ECAT server computers and ECAT SQL server computers (ex: EcatServersGroup, SqlServersGroup) in Active Directory Users and Computers. Add ECAT server computers to the first group, and the SQL servers to the second group.
Create the group Managed Service Accounts for both the NWE(Ecat) services, and the SQL services using Powershell commands on the DC similar to the ones below. Note the name of the service account can be changed to suit the environment and should be inserted in place of the default name we list below here, same with the selected DNS server name:
For the next step, enable the following services in Windows Roles and Features on both the Endpoint CS and SQL server in order to be able to run the next commands in powershell:
Windows AD DS
Windows AD LDS Tools
Run the following powershell commands on both servers to add the service accounts to both machines and verify they are present:
On the ECAT Server:
On the SQL Server:
Now you need to add the new service accounts on both machines to be local system administrators in Local Users and Groups. This can be done via GPO policies, or it can be done manually. Below is the manual method:
First open Computer Management>Local Users and Groups> Select Groups folder>Select the Administrators group by double-clicking.Image description
Next click Add and make sure to verify both location and Object Types include Service Accounts during lookup:Image description
Add SQL Server Logins (in SQL Management Studio, under Security) for the new service accounts on the SQL server. Similar to the step above, make sure to enable Service Accounts under Object Types when looking up the Sql service and Ecat service accounts.
Enable bulkadmin and sysadmin roles in Server Roles.
Configure SPNs and delegation for the SQL service account in AD:
Select View, Advanced Features main menu item. In SQL service account properties, Attribute Editor tab: Enter your SPNs of your SQL server into the servicePrincipalName property. For example: MSSQLSvc/MyServer.server.local:1433 MSSQLSvc/Myserver.server.local
Enable the TRUSTED_FOR_DELEGATION bit 0x80000 (524288) in the userAccountControl property. You can also do this manually with the below command:
Set-ADAccountControl -Identity "cn=GMSA account,cn=managed service accounts,dc=mydomain,dc=local" -TrustedForDelegation $true -TrustedToAuthForDelegation $false
Restart SQL Server services on the SQL server
Restart ECAT Services
To verify KernelData updates are being received into the database, open the ConsoleServerServiceOutput executable in the Servers folder on the CS Server, and restart the NWE(Ecat) console server service. The normal startup messages will scroll through the output. You should then see a message indicating the kerneldata was successfully downloaded into the database in the output window.
Use the following script in the SQL database after setup is complete to verify that connections are using Kerberos to the SQL server:
select s.session_id,@@SERVERNAME as ServerName,s.original_login_name,c.net_transport,c.auth_scheme,c.local_tcp_port,s.host_name,s.program_name from sys.dm_exec_sessions s left outer join sys.dm_exec_connections c on (s.session_id = c.session_id) where s.is_user_process = 1
In the auth_scheme column, you will see Kerberos connections over port 1433 as an example.