Qlik Community
Collaborate with over 60,000 Qlik technologists and members around the world to get answers to your questions, and maximize success.
Join UsUnlike the previous MSAs, the password for gMSAs are generated and maintained by the Key Distribution Service (KDS) on Windows Server 2012 DCs. Member servers that wish to use the gMSA, simply query the DC for the current password. Usage of the gMSA is restricted to only those computers specified in the security descriptor, msDS-GroupMSAMembership.
As the password for the gMSA is needed, for example when a host using the gMSA retrieves it, the DC will determine if a password change is necessary. If so, it uses a pre-determined algorithm to compute the password (120 characters). This algorithm depends upon a root key ID that is shared across all Windows Server 2012 KDS instances (pre-generated by an administrator), the current time (translated to an epoch) and the SID of the gMSA. Thus, any Windows Server 2012 KDS can generate the password, and all KDS instances use the same algorithm and will generate the same password.
Since the password (or, more precisely, the password hash) for the gMSA will be stored in Active Directory, down-level DCs will still be able to handle authentication requests – for example, to respond to a Kerberos TGS-REQ for a service ticket. Source: https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/
Collaborate with over 60,000 Qlik technologists and members around the world to get answers to your questions, and maximize success.
Join UsSearch Qlik's Support Knowledge database or request assisted support for highly complex issues.
Submit a caseExperiencing a serious issue, please contact us by phone. View phone numbers and hours by region.