Qlik Sense Enterprise - MSA & gMSA

Article Number: 000048854 | Last Modified: 2019/09/16

Description

There is no official answer on whether these kinds of accounts are supported, but there are various considerations at play when considering using such accounts.

Resolution

What is a Managed Service Account?
- Introduced in Windows Server 2008, MSA’s allow you to create an account in Active Directory that is tied to a specific computer. That account has its own complex password and is maintained automatically. This means that an MSA can run services on a computer in a secure and easy to maintain manner, while maintaining the capability to connect to network resources as a specific user principal.
What are the differences between a Managed Service Account and a Group Managed Service Account?
- For the purposes of Qlik Sense, the primary difference is that gMSA can be applied to multiple computers even as it exists as Computer like object in AD while a MSA can only be applied to single computer.
- Unlike the previous MSAs, the password for gMSAs are generated and maintained by the Key Distribution Service (KDS) on Windows Server 2012 DCs. Member servers that wish to use the gMSA, simply query the DC for the current password. Usage of the gMSA is restricted to only those computers specified in the security descriptor, msDS-GroupMSAMembership.
  
  As the password for the gMSA is needed, for example when a host using the gMSA retrieves it, the DC will determine if a password change is necessary. If so, it uses a pre-determined algorithm to compute the password (120 characters). This algorithm depends upon a root key ID that is shared across all Windows Server 2012 KDS instances (pre-generated by an administrator), the current time (translated to an epoch) and the SID of the gMSA. Thus, any Windows Server 2012 KDS can generate the password, and all KDS instances use the same algorithm and will generate the same password.
  
  Since the password (or, more precisely, the password hash) for the gMSA will be stored in Active Directory, down-level DCs will still be able to handle authentication requests – for example, to respond to a Kerberos TGS-REQ for a service ticket. Source: https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/
What are the requirements for a gMSA to be used for Qlik Sense?
- DISCLAIMER: gMSA's are not tested and are not guaranteed to work in all cases.
- Thus, this list is not exhaustive and additional requirements may be required based on environment and product changes.
- Generally, so long as an administrative account being used has been configured to have local administrative and file level permissions to the server and Qlik Sense share location through some administrative group, you should be able to setup the service accounts on the individual Qlik Sense nodes.
- However, you can not use a gMSA account to run through the installer. This is because the password will not be able to validated by the installer as it is a generated value.

Get Answers

Find Answers

Qlik Community

Collaborate with over 60,000 Qlik technologists and members around the world to get answers to your questions, and maximize success.

Join Us

Get Support

Have a Question?

Search Qlik's Support Knowledge database or request assisted support for highly complex issues.

Submit a case

Talk with a Representative

Critical Issues

Experiencing a serious issue, please contact us by phone. View phone numbers and hours by region.

A complete multi-cloud solution

Guided Analytics

Additional Products

Value Added Products

Join Qlik Community

Have a Question?

Critical Issues

Qlik Sense Enterprise - MSA & gMSA

Description

Resolution

Was this content helpful?

Get Answers

Qlik Community

Have a Question?

Critical Issues