none
Impersonate as Group Managed Service Account (GMSA) in windows 2012 RRS feed

  • 问题

  • Dear Microsoft Team,

     

     

    Have a good day!

    After Windows 2012, gMSA is created/managed by Windows 2012 with the ActiveDirectory PowerShell Mmodule. The service can be started via logging on with gMSA and It doesn’t need to change the password manually. That’s great.

     

    However we encounter a problem and need your help. Here is our steps:

    (1)     We created a gMSA in Domain Controller, and this gMSA can be used in Machine A and Machine B;

    (2)     There is a SQL server 2014 in Machine A, and we added this gMSA for SQL server log in;

    (3)     We realized a program (It is NOT a Windows Service) and this program running on Machin B. It will connect to SQL Server via Windows Authentication. We want to use this gMSA account to connect to SQL Server, so we try to impersonate as the gMSA User in the program.

    +++++++++++++++++++++++++++++++++++++++++++++

    BOOL IMPERSNATE_USER()

    {

        HANDLE tokenHandle;

        BOOL bRet = LogonUser("IcekingTest$", "testcom", "", //s_URLUserName, s_URLDomain, s_URLPassword,

           LOGON32_LOGON_SERVICE, LOGON32_PROVIDER_DEFAULT, &tokenHandle);

        //BOOL returnValue = LogonUser("IcekingTest", "testcom", "", //s_URLUserName, s_URLDomain, s_URLPassword,

        //  LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &tokenHandle);

        if (!bRet)

        {

           cout << "error logon: " << GetLastError() << endl;

           return false;

        }

        if(!ImpersonateLoggedOnUser(tokenHandle))

        {

           cout << "Impersonate failed!" << endl;

           CloseHandle(tokenHandle);

           return false;

        }

        CloseHandle(tokenHandle);

        return true;

    }

    +++++++++++++++++++++++++++++++++++++++++++++

     

    It is failed, and the output is as the followings:

    +++++++++++++++++++++++++++++++++++++++++++++

    error logon: 1326

    +++++++++++++++++++++++++++++++++++++++++++++

     

    Error 1326 Means:

    +++++++++++++++++++++++++++++++++++++++++++++

    RROR_LOGON_FAILURE

    1326 (0x52E)

    The user name or password is incorrect.

    +++++++++++++++++++++++++++++++++++++++++++++

     

    Our question is that if our program is Not a Windows service, how does the program impersonate as the gMSA account? Or How can we use the gMSA account in a program which is not a Windows Service?

     

     

    Best regards,

    Iceking

    2015年11月16日 9:01