How do I use gMSA with Octopus Tentacle?

Hi,

We’ve been wanting to use gMSA (Group Managed Service Accounts) when deploying Octopus Tentacles and I was wondering how we’d go about doing that?

Thanks

Hi,

Thanks for getting in touch.

I’ve tested this today, and gMSA accounts do work with Octopus, but there are a few things to consider. I leaned on this article while configuring my test lab and you can see it on https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-how-to-work-with-group-managed-service-accounts/ba-p/329864.

I started by prepping my Domain Controllers.

Add-KdsRootKey -EffectiveImmediately

By default, it takes 10 hours for DC’s to start responding to gMSA requests but you can override it using the below command. This is generally not recommended in Production.

Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))

On the Domain Controller, I could then run the below to use the ActiveDirectory PowerShell module. One thing to be aware of is that you need this module on all servers and it comes as part of the RSAT tools. I won’t be covering that as part of the ticket as I’ll assume all Virtual Machines have this module available to them.

In Active Directory, I created a group called Octopus in Active Directory and added the servers to it along with some other service accounts you can ignore.
image

I then could create the account using:

New-ADServiceAccount “OctopusTentacle” -DNSHostName “octo1.work.local, octo2.work.local” –PrincipalsAllowedToRetrieveManagedPassword “Octopus”

The above is assuming that octo1.work.local and octo2.work.local are your Octopus Servers. You may only have one, so just specify the server you have.

On each of the machines you want to run the Tentacle service on, you will need to run:

Install-ADServiceAccount -Identity “OctopusTentacle”

This will grant access to the OctopusTentacle gMSA on the server.

I then updated the service account to:

I then started the service. I ran into issues at this point as I noticed the logs were not being written too. I then set the permission detailed on Permissions required for the Tentacle Windows Service - Octopus Deploy for the gMSA and it started working. The key bit is to ensure that it has the permissions needed for the tasks at hand.

With anything, we’d recommend testing this on a test instance before rolling it out to production.

Thanks,

Derek