Azure-pipelines-agent: Agent installer does not support group managed service accounts (gMSA)

Created on 13 Nov 2017 · 23Comments · Source: microsoft/azure-pipelines-agent

Agent version and platform

2.117.2 (from https://go.microsoft.com/fwlink/?linkid=851123) on Windows.

OS of the machine running the agent?

Windows Server 2016

VSTS type and version

On-Prem TFS - TFS 2017 Update 2

What's not working?

I am attempting to use a gMSA (group managed service account) for my build agent but the unattended install progress does allow me to install the agent as a Windows service as it the installer does not understand that gMSA users do not need to provide a password.

My PowerShell install script invokes config.cmd thus

.\config.cmd --unattended --url $tfsHost --auth Integrated --pool $agentPool --agent $agentName --windowslogonaccount "domain\buildservice$" --runasservice --work "$workingDirectory" --replace

This fails with Invalid configuration provided for windowslogonpassword.
If I provide a blank value for --windowslogonpassword the same error occurs.

If I provide a " " (space) the install will fail due to invalid credentials.

My work around is

remove --runasservice and --windowslogonpassword
Register AgentService.exe with SC.exe manually
Profit! The agent successfully connects to TFS and everything works.

Logs of failure

Agent: stoic_tiger Working directory C:\B\641
Installing agent stoic_tiger

>> Connect:

Connecting to server ...

>> Register Agent:

Scanning for tool capabilities.
Connecting to the server.
Successfully added the agent
Testing agent connection.
2017-11-13 04:43:53Z: Settings Saved.
Invalid configuration provided for windowslogonpassword. Terminating unattended configuration.

It would be good to have the installer understand gMSA so I do not need to call SC.exe myself.

enhancement no-stale

Source

michael-baker

👍4 ❤3

Most helpful comment

Would love to have this feature implemented!

peterbarendse on 29 Jul 2020

👍3 ❤2

All 23 comments

The agent uses OAuth tokens per build to access resources. Is there a specific reason you need the service to run as a gMSA account instead of network service or local system? Our goal is the account the agent runs as is mostly irrelevant. I'm interested in your scenario.

bryanmacfarlane on 8 Dec 2017

Our build has many integration points. In some of these points we need login to various services or access resources a valid Windows user account (not machine like Network Service), so for us the agent needs to run as a Windows user.
gMSA lets us achieve this without having to worry about passwords in scripts which setup the agents on the machines in the build farm.

michael-baker on 10 Dec 2017

Thanks. We will add to our backlog and leave this open so you can track progress

Get Outlook for iOShttps://aka.ms/o0ukef

From: Michael Baker notifications@github.com
Sent: Sunday, December 10, 2017 3:00:03 AM
To: Microsoft/vsts-agent
Cc: Bryan MacFarlane; Comment
Subject: Re: [Microsoft/vsts-agent] Agent installer does not support group managed service accounts (gMSA) (#1294)

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoft%2Fvsts-agent%2Fissues%2F1294%23issuecomment-350534326&data=04%7C01%7Cbryanmac%40microsoft.com%7C95ac0b134f874afd3beb08d53fac67e0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636484932070898081%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=cjG17NnrHtKFuvcUd9hx7XCtJp6L44IuAsp%2BVdMoSNQ%3D&reserved=0, or mute the threadhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAA4IDOelBZaIG43aVqreATJWvpLmMYKMks5s-52TgaJpZM4QbZGr&data=04%7C01%7Cbryanmac%40microsoft.com%7C95ac0b134f874afd3beb08d53fac67e0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636484932070898081%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=JolGjCmZ92QgIpRX1WzOCpHqiD%2BUOwhWaSTmfMp4Z3w%3D&reserved=0.

bryanmacfarlane on 11 Dec 2017

gMSA are also great for on prem release agents that are in deployment groups. No one need to know the password of the deployment account then.

jabbera on 22 Jan 2018

@michael-baker @jabbera any of you would like to can help me testing some private bits about gMSA support, since i don't have an environment for testing? :D

TingluoHuang on 24 Jan 2018

Sure but it would have to be compantible with TFS 2018z

jabbera on 24 Jan 2018

@michael-baker @jabbera can you share an agent diag log that failed to configure the agent as service using GMSA? i want to see what is the current error we have, you can send me as email. tihuang @ microsoft.com

TingluoHuang on 25 Jan 2018

I have create a branch with my changes that might enable GMSA support. :)
https://github.com/Microsoft/vsts-agent/tree/users/tihuang/gmsa

Steps to test:

git clone the repository
git checkout users/tihuang/gmsa
run cd src/
run ./dev.cmd layout
run cd ../_layout
run config.cmd to configure the agent.

the _layout folder is the agent folder, if needed, you can zip it and copy across machines.

please share with me the diag log after attempt to configure.

Thanks for help me testing this.

TingluoHuang on 25 Jan 2018

👍1

Has there been any movement on this?

DHowett-MSFT on 17 Apr 2018

👍1

Wonderful work, I will get my team to pickup this branch and see if this works for us. Sorry for the very long delay in getting back to you.

michael-baker on 21 Apr 2018

@michael-baker @DHowett-MSFT
I tested the branch myself and i am hitting windows api error while configure the windows service as gMSA account. the only way i find was configure the windows service as network service first, then use SC.exe to change the running account. :(

TingluoHuang on 21 Apr 2018

Would be really nice to get this working. Currently the only service that requires a domain user in my entire cluster are these build agents.

I tried applying the workaround above, but the agent didn't come online (I probably did something wrong).

But as a security best-practice, would be really nice to get first-class support for MSAs.

tastyeggs on 13 Aug 2019

👍1

I currently do the same workaround as @TingluoHuang
.\config.cmd --unattended --url $tfsHost --auth Integrated --pool $agentPool --agent $agentName --windowslogonaccount "domain\tfsbuildservice$" --work "$workingDirectory" --replace

Then

$command = "sc create `"VSTS Agent (tfs.$agentName)`" binpath=$agentInstallationPath\bin\AgentService.exe obj= `"domain\tfsbuildservice$`" start= delayed-auto"
& cmd /c $command
net start "VSTS Agent (tfs.$agentName)"

michael-baker on 14 Aug 2019

👍2

Thanks. We will add to our backlog and leave this open so you can track progress Get Outlook for iOShttps://aka.ms/o0ukef
…

On the topic of tracking progress... how's this coming?

tlofreso on 30 Oct 2019

Following up/echoing this:

It's a pretty common scenario for build agents to need to "reach out" and grab artifacts or even run test frameworks as a domain-authenticated account. Being able to use a gMSA account seems rather ideal here.

Justin-DynamicD on 27 Nov 2019

👍3

How come the support for gMSA has not been added after more than two years it was asked for? If I am not mistaken, it should not be harder then allowing to specify no password during configuration.

My workaround is to configure the agent service to run as NETWORK SERVICE, and then use sc.exe to reconfigure the created service:

sc.exe config vstsagent.Org.Pool.Name obj= [email protected] password= ""

Next, remove NETWORK SERVICE from VSTS_AgentService_XXXX group and add [email protected] instead.