Allow group managed service Accounts (gMSA) to have a dummy password
It's 2017 and there's still Server Software (even microsoft's own - like TFS), which is not able to handle gMSAs, because the password field is mandatory.
Since that software probably uses windows function to sign-in as such a user, it would be nice to have a mechanism, which allowed us to just use a dummy password for such an account - like "groupManaged" or "-" whatever else.
So perhaps this is possible, that Windows Server introduces a mechanism allowing to type a password in the mandatory password fields, which signalizes the same as an empty password for gMSAs.
2 comments
-
zafer b commented
Many applications that require password for service accounts should change the behavior and upgrade their code base to work with gMSA. As far as I understand, this is against the architectural decision of gMSAs. But I agree with you and it had come to my mind when I worked with several software that require password even for gMSAs and I had to use an old-fashioned service account.
-
Ryan Bolger commented
If I understand correctly, you're essentially asking for an option to set a "fake" password on a gMSA that AD will accept as valid, but not actually give you a valid auth token for?
Wouldn't that just break a bunch of apps who explicitly try to use the fake password when they authenticate with the account, think they've succeeded, and then fail to do what they want to do?