Find Answers
Qlik Community
Collaborate with over 60,000 Qlik technologists and members around the world to get answers to your questions, and maximize success.
Join Us
Knowledge
Qlik Sense Enterprise - MSA & gMSA
Article Number: 000048854 | Last Modified: 2019/09/16Description
There is no official answer on whether these kinds of accounts are supported, but there are various considerations at play when considering using such accounts.
Resolution
- What is a Managed Service Account?
- Introduced in Windows Server 2008, MSA’s allow you to create an account in Active Directory that is tied to a specific computer. That account has its own complex password and is maintained automatically. This means that an MSA can run services on a computer in a secure and easy to maintain manner, while maintaining the capability to connect to network resources as a specific user principal.
- What are the differences between a Managed Service Account and a Group Managed Service Account?
- For the purposes of Qlik Sense, the primary difference is that gMSA can be applied to multiple computers even as it exists as Computer like object in AD while a MSA can only be applied to single computer.
-
Unlike the previous MSAs, the password for gMSAs are generated and maintained by the Key Distribution Service (KDS) on Windows Server 2012 DCs. Member servers that wish to use the gMSA, simply query the DC for the current password. Usage of the gMSA is restricted to only those computers specified in the security descriptor, msDS-GroupMSAMembership.
As the password for the gMSA is needed, for example when a host using the gMSA retrieves it, the DC will determine if a password change is necessary. If so, it uses a pre-determined algorithm to compute the password (120 characters). This algorithm depends upon a root key ID that is shared across all Windows Server 2012 KDS instances (pre-generated by an administrator), the current time (translated to an epoch) and the SID of the gMSA. Thus, any Windows Server 2012 KDS can generate the password, and all KDS instances use the same algorithm and will generate the same password.
Since the password (or, more precisely, the password hash) for the gMSA will be stored in Active Directory, down-level DCs will still be able to handle authentication requests – for example, to respond to a Kerberos TGS-REQ for a service ticket. Source: https://blogs.technet.microsoft.com/askpfeplat/2012/12/16/windows-server-2012-group-managed-service-accounts/
- What are the requirements for a gMSA to be used for Qlik Sense?
- DISCLAIMER: gMSA's are not tested and are not guaranteed to work in all cases.
- Thus, this list is not exhaustive and additional requirements may be required based on environment and product changes.
- Generally, so long as an administrative account being used has been configured to have local administrative and file level permissions to the server and Qlik Sense share location through some administrative group, you should be able to setup the service accounts on the individual Qlik Sense nodes.
- However, you can not use a gMSA account to run through the installer. This is because the password will not be able to validated by the installer as it is a generated value.
Get Answers
Find Answers
Get Support
Have a Question?
Search Qlik's Support Knowledge database or request assisted support for highly complex issues.
Submit a case
Talk with a Representative
Critical Issues
Experiencing a serious issue, please contact us by phone. For Data Integration related issues please refer to your onboarding documentation for current phone number.