This article describes configuration of Panel Service, or Uplift (MIM Synchronization Service) for login to Identity Panel SaaS when using a Windows GMSA as the service account.
Install New Service
- Follow the normal install step in Service Setup.exe. When prompted enter the login details of the GMSA, and make up a password (that will not be the correct password).
- Create the application password and enter it normally.
- When the install runs the service will fail to create or start, but all dlls and files will be prepared.
- Run the following command to create the service with the builtin system account:
sc create SoftwareIDM.PanelService binPath= "C:\Program Files\SoftwareIDM\PanelTools\SoftwareIDM.PanelService.exe" DisplayName= "SoftwareIDM Panel Service" start="auto"
- Run the following script (adjust the account name) to switch to the GMSA
$serviceName = 'SoftwareIDM.PanelService' $serviceObject = Get-WmiObject -Class Win32_Service -Filter "Name='$serviceName'" $serviceObject.StopService() | out-null # Change logon as settings $serviceObject.Change($null, $null, $null, $null, $null, $null, 'DOMAIN\ACCOUNT$', $null, $null, $null, $null) $ServiceObject.StartService()
Configure Login for Existing Service
This procedure may be used for any scenario where you are unable to run a command prompt as the service account being configured, in order to establish the login pairing.
- Lookup the account name settings for the GMSA (server name, netBIOS Domain prefix, and sAMAccountName). For a GMSA the account name will end in a '$'.
e.g. MIMSRV01, MYDOMAIN\svcMIMSync$
- Open the Install Service page of Identity Panel
- Fill in the server name, domain, and account
- Create a new application password
- Edit Panel Tools config.json (typically at C:\Program Files\SoftwareIDM\PanelTools\config.json), go to the “Auth” section, and edit or add a JSON field called “Password”. Set it to the value of the application password.
- Restart the service that needs the login (if configuring Uplift for MIM Synchronization service, and restart FIM Sync Service and preview commit a user).
- The service restart will encrypt the password and move it to the user logins section.