PingFederate Server

Running PingFederate as a service using a gMSA on Windows

You can run PingFederate as a service using a group Managed Service Account (gMSA) on Windows. gMSAs automatically rotate passwords on a recurring basis. This improves security and reduces password expiration-related downtime by offloading password management onto Windows. gMSAs provide distinct network identity for services. This enables granular, least-privilege access controls on resources, and simplifies multi-server cluster or farm deployments by allowing authorized hosts to share the single managed account. Compared to traditional user or built-in accounts, gMSAs reduce administrative overhead and strengthen the overall security posture for applications running on a Windows Server.

Learn more about gMSAs in Group Managed Service Accounts overview in the Windows documentation.

Before you begin

Setting up the gMSA

Steps

  1. From a Domain Controller within the Active Directory, use the New-ADServiceAccount command to create the gMSA.

    New-ADServiceAccount <accountName> -DNSHostName <serviceHostName> -PrincipalsAllowedToRetrieveManagedPassword <computerAccountsAbleToAccessAccount>

    Example:

    New-ADServiceAccount PingFarm -DNSHostName pingfederate02.jones.lab -PrincipalsAllowedToRetrieveManagedPassword PINGFEDERATE02$

    Find a list of other gMSA properties you can set using the Set-ADServiceAccount command in the Windows documentation.

  2. Use the Install-ADServiceAccount command to install the gMSA on the specified host machine.

    Example:

    On the pingfederate02 machine from the previous example, you would run the following:

    Install-ADServiceAccount -Identity 'PingFarm'

  3. Verify the installation by running the Test-ADServiceAccount command.

    Example:

    If the connection succeeded, running the following command returns a value of true:

    Install-ADServiceAccount -Identity 'PingFarm'

Installing PingFederate as a service

Steps

  1. Install PingFederate as a service.

    Choose from:

  2. Install PingFederate to a neutral directory like C:\Program Files\Ping Identity\.

  3. Right-click PingFederate folder > Properties > Security.

  4. Under the Group or user names section, click Edit > Add > Advanced > Object Types.

  5. Select the Service Accounts checkbox.

  6. Click OK

  7. Click Find Now.

  8. Click your gMSA.

  9. Click OK > OK.

  10. Grant the gMSA account full control of the PingFederate folder.

Running PingFederate as a service with gMSA

  1. In Windows, search for Services and launch it.

  2. Find PingFederate in the list.

  3. Right-click PingFederate > Properties > Log On.

  4. Under Log on as > This account > Browse > Advanced > Find Now, select the gMSA.

  5. Clear the Password fields and click OK.

  6. Search for Local Security Policy and launch it.

  7. Click Local Policy > User Rights Assignment and grant the gMSA Log on as a service permission.

  8. Go to Services and launch or relaunch PingFederate.