MQ

 View Only
Expand all | Collapse all

Does MQ Windows Service Support or is it compatible with group Managed Service Account (gMSA)?

  • 1.  Does MQ Windows Service Support or is it compatible with group Managed Service Account (gMSA)?

    Posted Fri September 13, 2024 11:12 AM

    Hello MQ community users,

    I have the following question for your consideration:

    Supposed that an organization plans to onboard Windows service accounts automation, in a way that all Windows infra service accounts leveraging AD group managed service account (gMSA) mechanism for automated password management (rotation/change) & security.

    Is it feasible for the Windows MQ service to utilize gMSA mechanism or is it suggested to do so, considering the following :

     1) gMSA cannot be implemented  MQ Failover clusters given that Failover Clusters don't support gMSAs, according to Microsoft article posted below: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/group-managed-service-accounts-overview

    "Failover clusters don't support gMSAs. However, services that run on top of the Cluster service can use a gMSA or a sMSA if they're a Windows service, an app pool, a scheduled task, or natively support gMSA or sMSA"  

    The above statement doesn't  solve  problems since implies that MQ service should use sMSA (Standalone Managed Service account) on each cluster node.

    From my point of view, this is a main issue for Windows MQ failover clusters. 

    2)  MQ service password needs to be provided at every time a new MQ instance setup is in progress, so by using gMSA MQ service password  whould not  available adhoc, but instead only specific accounts (Enterprise Admins or Domain Admins) are able to access the specific attribute in AD KDS (Key distribution service) object hosted on DC (Domain Controller). 

    For me, this is critical limitation for a smooth MQ instance either on Standalone and/or Cluster setups. 

    3)  The creation of a managed service account will add an object of class msDS-GroupManagedServiceAccount to the domain, with attribute

    • msDS-ManagedPassword: constructed attribute containing a Binary Large OBject (BLOB) with the current and previous gMSA password in clear-text.

    If someone (attacker) obtain local admin access on the hosts (DCs) where a gMSA is installed he can extract the clear text password from the LSA secrets, instead of requesting it from the DC. 

    https://medium.com/@offsecdeer/attacking-group-managed-service-accounts-gmsa-5e9c54c56e49

    So, from my perspective, security is  also questionable in this case.

    4)  As member of local Microsoft service delivery organization in the past, I can recall a fix posted by Microsoft regarding MSA (Managed Service Accounts) password synchronization disruption on Windows 2008 Servers.

    In my understanding nobody can guarantee for good,  a future random gMSA password change/rotation/sync mechanism disruption -similar to that i have experienced in the past on WinSrv2008 - that can cause MQ service unavailability which in return will result to loss of uncommitted transactions & messages within a 24 x 7 production flow system.      

    Any advise or comment on the above will be much appreciated .

    P.S.

    In case i need an official response for the subjected question, do you think that i need to raise a ticket to IBM (via IBM PA)?

    Cheers, Nick.

        



    ------------------------------
    Nick Dakoronias
    ------------------------------