Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Running ProGet with Group Managed Service Account
-
Hi,
I'm currently running ProGet 2024.0.26. I'm using the integrated web server and have a regular service account configured to run the INEDOPROGETSVC service and INEDOPROGETWEBSVC web server Windows services. I have a database user ID and password configured in the connection string.
This works great, but I'd like to switch to use a Windows group managed service account (gMSA). I'm able to use a gMSA as the account in the INEDOPROGETSVC service and INEDOPROGETWEBSVC web server Windows services. However, if I change the connection string to use "Integrated Security=true;", "Integrated Security=SSPI;", or "Trusted_Connection=true" and restart the Windows services, the services start, but the website doesn't load. When I open Inedo Hub, ProGet has a "View Error" button that has the following message:
"Product: ProGet
Version: 24.0.26The Inedo Hub is unable to connect to the "MyDatabase" database: Login failed for user '<Domain>\MyLoggedInUser'.
The above username is the account you're currently logged-in to Windows with.
Please ask your database administrator to grant db_owner access to the above username.
Or, try logging-in to Windows with a different account."I have granted "db_owner" and "ProGetUser_Role" to the group managed service account, but for whatever reason it appears it's attempting to connect using the user account I'm using to logon to the server. The group managed service account has been added to the "Logon as a service" policy. I also added it to the Administrators group in case that made a difference even though it didn't appear to be needed when I was using my regular service account.
I have used a group managed service account as the application pool identity for years in IIS, but I'm not using IIS since it's not really recommended according to the Inedo documentation. I tried to track down any guidance on using a group managed service account, including the "inedo-docs" GitHub repository, but it seems like I'm still missing something.
Any help is very much appreciated.
Thanks!
-
Hi @mhelp_5176 ,
When upgrading ProGet 2024 and earlier via the Inedo Hub, the user performing the upgrade must have db_owner permission. So, this behavior is expected if
<Domain>\MyLoggedInUserdoesn't have access.I'm not sure if you can log in to Windows using a gMSA or not. But, the easiest move is just to give
<Domain>\MyLoggedInUserthe appropriate access, or just switch to username/password authentication.In ProGet 2025 and later, the ProGet application itself performs the upgrade, so that user account would need db_owner permission.
Thanks,
Steve
-
Hi Steve,
I'm not upgrading...I'm just trying to change the connection string in Inedo Hub in a way that it will use the group managed service account. When I do that, using integrated security or trusted_connection, it seems to be trying to use my logged on user.
Is the only way I'm going to be able to do that is if I run it through IIS instead of the integrated web server?
I cannot logon to the server with the group managed service account. The group managed service account has permissions on the server and in the database.
Thanks!
-
Hi @mhelp_5176,
When hosting via the Integrated Web Server, you will need to update the account the service is running as. As long as the GMSA is a db_owner on your database, then "Integrated Security=true;" in your connection string will use that account. As for installs through the InedoHub with "Integrated Security=true;" , it will use the account of the person running InedoHub when connecting to SQL Server during the install, so that account will need DBO on the ProGet database as well.
Thanks,
Rich
