在组托管服务帐户(gMSA)下运行Service Fabric应用 [英] Run Service Fabric App under Group Managed Service Account (gMSA)
问题描述
我正在使用gMSA帐户而不是NETWORKSERVICE运行SF应用进行测试.
I'm testing using a gMSA account to run an SF app, instead of NETWORKSERVICE.
按照此处的说明进行操作: https://docs.microsoft. com/zh-CN/azure/service-fabric/service-fabric-application-runas-security
Following the instructions from here: https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-application-runas-security
-
使用powershell cmdlet在域控制器上创建gMSA:
Created the gMSA on the domain controller using the powershell cmdlet:
New-ADServiceAccount -name MySA$ -DnsHostName MySA.contoso -ServicePrincipalNames http/MySA.contoso -PrincipalsAllowedToRetrieveManagedPassword Node0Machine$, Node1Machine$, Node2Machine$
Install-AdServiceAccount在每个节点上返回一个未指定的错误",但是对于MySA $(当以域用户身份运行Powershell时),Test-AdServiceAccount返回true.
Install-AdServiceAccount returned an "unspecified error" on each of the nodes, however Test-AdServiceAccount returns true for MySA$ (when running powershell as a domain user)
ApplicationManifest.xml具有以下更改:
ApplicationManifest.xml has the following changes:
<Principals>
<Users>
<User Name="MySA" AccountType="ManagedServiceAccount" AccountName="Contoso\MySA$"/>
</Users>
</Principals>
<Policies>
<SecurityAccessPolicies>
<SecurityAccessPolicy ResourceRef="ConfigurationEncipherment" PrincipalRef="MySa" ResourceType="Certificate" />
</SecurityAccessPolicies>
<DefaultRunAsPolicy UserRef="MySA"/>
</Policies>
Service Fabric资源管理器为每个服务显示以下错误:
The Service Fabric explorer shows the following error for each service:
Error event: SourceId='System.Hosting', Property='CodePackageActivation:Code:SetupEntryPoint'.
There was an error during CodePackage activation.Service host failed to activate. Error:0x8007052e
我也尝试过使用gMSA创建集群(目前我们正在成功使用X509).使用gMSA群集配置作为模板,它会失败并出现超时(大概是"WindowsIdentities"部分不正确-似乎有关此文档很少)
I have also tried creating the cluster using the gMSA (we are using X509 successfully at the moment). Using the gMSA cluster config as a template, it fails with a timeout (presumably the "WindowsIdentities section is incorrect - there seems to be little documentation on this)
"security": {
"WindowsIdentities": {
"ClustergMSAIdentity": "MySA$@contoso",
"ClusterSPN": "http/MySa.contoso",
"ClientIdentities": [
{
"Identity": "contoso\\MySA$",
"IsAdmin": true
}
]
},
推荐答案
Error:0x8007052e可能与登录失败有关.
The Error:0x8007052e may be linked to a logon failure.
根据确保安全使用Windows安全性和如果您有10个以上的节点或可能增长或收缩的群集. Microsoft强烈建议使用组托管服务帐户(gMSA)方法.
If you have more than 10 nodes or for clusters that are likely to grow or shrink. Microsoft strongly recommend using the Group Managed Service Account (gMSA) approach.
您还将看到:
您可以通过两种不同的方式建立信任:
You can establish trust in two different ways:
-
指定可以连接的域组用户.
Specify the domain group users that can connect.
指定可以连接的域节点用户.
Specify the domain node users that can connect.
[...]
管理员拥有对管理功能(包括读取/写入功能)的完全访问权限.默认情况下,用户仅具有管理功能(例如查询功能)以及解析应用程序和服务的读取权限.
Administrators have full access to management capabilities (including read/write capabilities). Users, by default, have only read access to management capabilities (for example, query capabilities), and the ability to resolve applications and services.
您还可以在根据您的评论,一旦将gMSA添加到ServiceFabricAdministrators组中,所有内容都将起作用,这可能是由于管理员具有对管理功能的完全访问权限"
According to your comment, as soon as you add the gMSA to the ServiceFabricAdministrators group everything will work and it is probably due to the fact that "administrators have full access to management capabilities"
这篇关于在组托管服务帐户(gMSA)下运行Service Fabric应用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
