Mastodawn

Использование gMSA в Linux-контейнерах

Зачем вообще использовать gMSA в контейнерах? Group Managed Service Accounts (gMSA) решает проблему хранения и обновления сервисных паролей: пароль хранится только в AD и регулярно обновляется автоматически. Использование gMSA позволяет не менять уже настроенные ACL и роли на файловых шарах и SQL-серверах - приложения продолжают работать с прежними правами через корпоративные Kerberos/SPN-механизмы. Такая интеграция обеспечивает прозрачный и контролируемый переход классических приложений в контейнерную инфраструктуру Kubernetes. Посмотрим как это работает на примере простого кроссплатформенного dotnet-приложения.

https://habr.com/ru/articles/956196/

#gMSA #credentialsfetcher #k8s #linux

Использование gMSA в Linux-контейнерах

Хабр

PSConfEU Oct 6

🔐 Secure PowerShell remoting made simple. At #PSConfEU 2025, Bartek Bielawski showed how Constrained Endpoints + gMSA limit risks while keeping admins efficient. 🎟️ Early bird 2026 tickets → psconf.eu #PowerShell #Security #gMSA #Remoting

- YouTube

Home - PSConfEU

Discover PowerShell scripting & automation at psconf.eu. Join experts, learn, & boost productivity. Elevate your skills today!

PSConfEU

PSConfEU Jul 3, 2025

Home - PSConfEU

Discover PowerShell scripting & automation at psconf.eu. Join experts, learn, & boost productivity. Elevate your skills today!

PSConfEU

Autocade Jun 19, 2025

Anyone know the history of this? There are some things that are obvious. The base is the #Opel Rekord D. It’s South Africa. It must be a variant of the #Chevrolet 2500, 3800 or 4100 (the file name suggests 2500). But what is the deal with the grille? It seems Chevrolet (#GMSA) was experimenting with the Wayne Cherry droop snoot? #GM #WeirdCarMastodon #car #Auto #RSA #history

Nicola Ferrini Sep 30, 2024

Active Directory Managed Service Accounts – sMSA, gMSA e dMSA

https://www.ictpower.it/sistemi-operativi/active-directory-managed-service-accounts-smsa-gmsa-e-dmsa.htm

#ActiveDirectory #Security #Cybersecurity #ManagedServiceAccounts #ITPro #gMSA #dMSA #ICTPower

Joe 🏔️ King of NYNEX

Oct 5, 2023

If you can't seem to install your gMSA service account, it might be because your recently removed RC4. #gMSA #windows

Also shoutout to @textfiles for being able to find this otherwise lost article!

https://web.archive.org/web/20201112030352/https://docs.microsoft.com/en-us/archive/blogs/joelvickery/cannot-install-service-account-the-provided-context-did-not-match-the-target

Hagen Deike

Apr 26, 2023

gMSA sample #application #ForWindows containers #OperatingSystem

To that end, I created a containerized sample app to test if the gMSA config is working or not. This sample app is actually nothing more than the IIS base container image, with a new virtual directory with Windows authen [...]
https://bit.ly/3HaRDNB #app #gmsalm-demo #gMSA #AK #spec
Source: Microsoft Tech Community ITOps Talk Blog

gMSA sample application for Windows containers

Recently I talked to a customer about their deployment of gMSA on Azure Kubernetes Service (AKS). This customer was having trouble when trying to run their deployment on AK, and the goal was to identify where the issue was. While discussing with the customer, it occurred to me that sometimes it’s ha...

TECHCOMMUNITY.MICROSOFT.COM

Gareth Emslie 🇿🇦 🇪🇦 🇨🇭Jan 30, 2023

Security is an important consideration when running production workloads on a Service Fabric cluster, and Windows security with group Managed Service Accounts (gMSA) is the recommended model. This article outlines how to configure node-to-node and client-to-node security using the gMSA model in a standalone Service Fabric Cluster running on Azure Virtual Machine Scale Sets with Windows Server 2022. https://techcommunity.microsoft.com/t5/azure-paas-blog/standalone-service-fabric-cluster-secured-with-windows-gmsa/ba-p/3715287 #ServiceFabric #gMSA #AzureVMSS

Standalone Service Fabric Cluster secured with Windows gMSA

Background Information To prevent unauthorized access to a Service Fabric cluster, you must secure the cluster. Security is especially important when the cluster runs production workloads. This article describes how to configure node-to-node and client-to-node security by using Windows security, w...

TECHCOMMUNITY.MICROSOFT.COM

iCyberFighter Nov 24, 2022

Microsoft is rolling out fixes for problems with the #Kerberos network #authentication protocol on Windows Server after it was broken by a November 8 Patch: https://www.theregister.com/2022/11/21/microsoft_kerberos_fix_windows/ | #DomainController #GMSA

Microsoft's attempts to harden Kerberos authentication broke it on Windows Servers

Emergency out-of-band updates to the rescue

The Register

Cody Dostal

Nov 9, 2022

For those with questions on how th check the #November #Patches issue mentioned by @fabian_bader, where "services like MDI that run on the Domain Controller itself and use a #gMSA won't start anymore if msDS-SupportedEncryptionTypes is set to AES 128 and/or AES 256 only"

You can run (at least on your DC) get-adcomputer -properties msDS-SupportedEncryptionTypes -filter * and if it returns 24 I believe you are affected. Possible also the values 16 and 8 if I'm understanding this bug right.

Source for values: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797

Source for PowerShell: https://serverfault.com/questions/896486/query-kerberos-encryption-modes-supported-by-ad-through-ldap

Decrypting the Selection of Supported Kerberos Encryption Types

In recent months Microsoft support has received a lot of questions regarding disabling RC4 for the encryption of Kerberos tickets. If I had to guess the CIS L1 Baseline and RFC 8429 guidance to disable RC4 is likely responsible for much of that interest. While RC4 has not been formally deprecate...

TECHCOMMUNITY.MICROSOFT.COM