I have followed the steps in the linked article What is the least-privileged Duo Authentication Proxy Windows service account configuration to setup a Group Managed Service Account (gMSA). I have used Group Policy to configure 1) the security on the Registry Key, 2) the Log on as a service user right, and 3) the security on the log directory.
This setup works fine – as long as I specify a service account username and password in the authproxy.cfg file (of course, I have to use a different account here, as the gMSA password is generally considered unknown to humans).
Anyway, the linked article states “[i]f you’ll be running Active Directory synchronization through this Authentication proxy server using ‘Integrated’ authentication, then the account used to start the service must be a domain account with the right to perform LDAP queries against an AD domain controller.” This to me seems to imply that the LDAP connection would be initiated by the account that is running the service. However, I don’t see where I can specify an authentication type of integrated. Essentially, I don’t want to know the password, I don’t want the password stored in clear text, I don’t want the password stored in encrypted text. I want the service – running under a specified service account – to perform an LDAP bind/query using the credentials of the account that is running the service.
I could settle for using a regular user account (albeit annoying, both because I have to allocate a user license and manage another password), as long as I didn’t have to specify the username and password (in any form) in the config file.
What am I missing?
Related: this prior question, though it referrs to them as “(global) Managed Service Accounts,” does not quite contain the same detail, and has zero repiles.