Does Siteminder supports to configure the AD with group member service account (gMSA) for user store.
search cancel

Does Siteminder supports to configure the AD with group member service account (gMSA) for user store.

book

Article ID: 380060

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

Do we support configuring the AD with a group member service account (gMSA) for the user store?

For admin UI

Environment

PS : ANY

OS : Windows 

Resolution

gMSAs provide a single identity solution for services.  The password is managed in AD centrally and changed by the OS.  There would be no mechanism to change the password for the user directory object in the policy store.  Once the AD admin changes the service account, the Policy Server would begin to fail to bind to the user directory.

This would apply if we're talking about the account that runs the 'smpolicysrv' service.  For any data store, this would cause problems.

We don't think its possible because with gMSA password is rotated automatically and Siteminder does not have the option to fetch or update the bind password, which is only configured while the Directory is added to Siteminder.