gMSA for AD/Hybrid User Source Sync

Several Google searches and configuration changes later and I can't seem to figure out how to get a User Source synced to AD using a gMSA.

I already have MSA configured for the Ignition service and is working for all of our SQL connections/transactions and the SMTP connection; however, I can't get it to work with Active Directory.

I get the following java exception in the gateway Logger: "java.lang.Exception: Invalid configuration for directory search: no username/password for search."

Based on the exception, my guess is that this isn't supported since gMSA doesn't use a static password; however, before I move over to a static service account, I figured it wouldn't hurt to ask the community and see if someone has attempted this.

Thank you in advance for your input!

Hey Daniel,

Can you provide a full stack trace of the error you are receiving? Does the gateway user you are using have a static password currently, and does that user have permission to query Active Directory?

Hi Joshua,

Here is the full stack trace:
############################################################
#################### Stack Trace Start #########################

java.lang.Exception: Invalid configuration for directory search: no username/password for search.

at com.inductiveautomation.ignition.gateway.authentication.impl.LDAPHelper.search(LDAPHelper.java:348)

at com.inductiveautomation.ignition.gateway.authentication.impl.ADInternalHybridUserSource.getUsers(ADInternalHybridUserSource.java:200)

at com.inductiveautomation.ignition.gateway.authentication.UserSourceWrapper.doGetUsers(UserSourceWrapper.java:540)

at com.inductiveautomation.ignition.gateway.authentication.UserSourceWrapper$UserCacheImpl.doUpdate(UserSourceWrapper.java:269)

at com.inductiveautomation.ignition.gateway.authentication.UserSourceWrapper$UserCacheImpl.doUpdate(UserSourceWrapper.java:265)

at com.inductiveautomation.ignition.gateway.authentication.AbstractCache$UpdateTask.run(AbstractCache.java:118)

at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)

at java.base/java.util.concurrent.FutureTask.run(Unknown Source)

at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.base/java.lang.Thread.run(Unknown Source)

################# Stack Trace End #############################
############################################################

The gMSA being used for the Ignition service does have the appropriate permissions to query AD; however, gMSAs by design do not have static passwords. The account's password is handled entirely by AD (which is regularly cycled/reset every 30 days) and security group membership allows the service to query AD for the account's password. Which is why you don't assign a password in the configuration and is probably the reason we are seeing the exception above.

I've successfully synced AD to an Ignition user source with a static service account; however, it would be best if a gMSA could be used.

Support told me a while ago that they don't support GMSA accounts, did you ever get this working?

I was told the same thing. From what I've observed, there is no "JDBC integratedSecurity driver equivalent" for LDAP queries. This seems to be a common challenge for a lot applications, not just Ignition (see gmsa account to bind to Microsoft AD - Microsoft Q&A).

I am still currently using a simple bind with a standard user DN "service account" with a stupid long and complex password. If your security team is following NIST Password Guidelines (mine is not), then I wouldn't worry about it too much as you would only need to update your service account's password once a year at most. However, if your organization uses antiquated security policies requiring account passwords refreshed every 90-days, you will need to manually update the LDAP profile in Ignition every time it is changed.

I am not actively searching for a solution, but hope to loop back to this problem and see if I can find one. If you happen across one, please share!