CoreView Hybrid Connector: Configure gMSA for Kerberos (Implementation / Sysadmin / Helpdesk Guide)

Overview

This guide explains how to create and use Group Managed Service Accounts (gMSAs) for the CoreView Hybrid Connector, which runs in Docker containers that are not domain-joined. Using gMSA can enhance security and enable Kerberos authentication without managing service account passwords manually.

CoreView Hybrid Connector uses two containers:

Important: To avoid Kerberos authentication conflicts when both containers are active, consider creating two distinct gMSA accounts—one for management actions and another for imports.

Table of Contents

  1. Prerequisites
  2. Quick Setup (Automation Script)
  3. Step 1 — Check/Create the KDS Root Key
  4. Step 2 — Create a Security Group for Host Authorization
  5. Step 3 — Create the gMSA Accounts
  6. Step 4 — (Optional) Create a Standard User Account for Secret Store Usage
  7. Step 5 — Add Container Hosts to the Security Group
  8. Step 6 — Create Credential Specs (CredSpec)
  9. Step 7 — Test the gMSA Accounts
  10. Step 8 — Configure CoreView Hybrid Connector to Use gMSA
  11. Summary

Prerequisites

Quick Setup

You can automate Steps 1 through 7 using the provided PowerShell script.

Download Default Script

Usage: Run the script in PowerShell as an Administrator. It will prompt you for your Domain, NetBIOS name, and the Docker Host computer name.

IMPORTANT: Replace placeholders with your environment values.

Step 1 — Check/Create the KDS Root Key

gMSAs require a KDS root key in the domain.

Check if the KDS root key already exists

Get-KdsRootKey

If no key exists, create one

Add-KdsRootKey -EffectiveImmediately

Step 2 — Create a Security Group for Host Authorization

Create a security group to control which computers/hosts are allowed to retrieve the managed password.

New-ADGroup -Name "CVHybridgMSA" -SamAccountName "CVHybridgMSA" -GroupScope DomainLocal

Step 3 — Create the gMSA Accounts

Create one gMSA for management actions, and (optionally) a second gMSA for imports to prevent conflicts.

Choose the -DnsHostName value (gMSA FQDN)

For -DnsHostName, use the gMSA’s FQDN (fully qualified domain name).

Example:

Choose the -ServicePrincipalNames prefix (Pre-Windows 2000 / NetBIOS domain name)

For -ServicePrincipalNames, the left-hand portion before the slash should be your Pre-Windows 2000 domain name (also called the NetBIOS domain name).

Example:

Create the gMSAs

New-ADServiceAccount -Name "svcCVHybridMgmt" -DnsHostName "gmsa_fqdn" -ServicePrincipalNames "PREWIN2000DOMAIN/svcCVHybridMgmt" -PrincipalsAllowedToRetrieveManagedPassword "CVHybridgMSA"

New-ADServiceAccount -Name "svcCVHybridImpt" -DnsHostName "gmsa_fqdn" -ServicePrincipalNames "PREWIN2000DOMAIN/svcCVHybridImpt" -PrincipalsAllowedToRetrieveManagedPassword "CVHybridgMSA"

Example (replace with your real values):

New-ADServiceAccount -Name "svcCVHybridMgmt" -DnsHostName "svcCVHybridMgmt.contoso.com" -ServicePrincipalNames "CONTOSO/svcCVHybridMgmt" -PrincipalsAllowedToRetrieveManagedPassword "CVHybridgMSA"

New-ADServiceAccount -Name "svcCVHybridImpt" -DnsHostName "svcCVHybridImpt.contoso.com" -ServicePrincipalNames "CONTOSO/svcCVHybridImpt" -PrincipalsAllowedToRetrieveManagedPassword "CVHybridgMSA"

Note: The CoreView Hybrid Connector uses two Docker containers. If you assign a gMSA to both the management and importer containers, using two separate gMSAs can help avoid Kerberos authentication conflicts when both containers are active.

Step 4 — (Optional) Create a Standard User Account for Secret Store Usage

This standard user account’s credentials must be stored in a secret store and retrieved by the ccg.exe hosted plug-in to retrieve the gMSA password.

WARNING: Use a unique username and a random, long, machine-generated password.

Example (commented in the draft):

#New-ADUser -Name "StandardUser01" -AccountPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" -Force) -Enabled 1

(added for clarity) Keep this account’s credentials protected and managed according to your organization’s credential storage policy.

Step 5 — Add Container Hosts to the Security Group

Add the CoreView machine (computer name only — not the FQDN) to the group allowed to retrieve gMSA passwords.

Add-ADGroupMember -Identity "CVHybridgMSA" -Members "CV_MACHINE_NAME"

Example (replace with your CoreView server name):

Add-ADGroupMember -Identity "CVHybridgMSA" -Members "WebApp01"

Step 6 — Create Credential Specs (CredSpec)

Install the CredentialSpec module and generate Credential Spec files for the gMSA accounts.

Install-Module CredentialSpec
New-CredentialSpec -AccountName svcCVHybridMgmt
New-CredentialSpec -AccountName svcCVHybridImpt

Optional: Create one Credential Spec including additional gMSA accounts

If you run a service/process as a secondary gMSA in the container, create a credential spec using -AdditionalAccounts:

#New-CredentialSpec -AccountName svcCVHybridMgmt -AdditionalAccounts svcCVHybridImpt

Step 7 — Test the gMSA Accounts

Validate that each gMSA can be used successfully.

Test-ADServiceAccount svcCVHybridMgmt
Test-ADServiceAccount svcCVHybridImpt

Step 8 — Configure CoreView Hybrid Connector to Use gMSA

After creating the gMSA accounts, configure them in the CoreView Hybrid Connector settings file:

Forward365.Service.PowershellService.Agent.exe.config
C:\Program Files (x86)\CoreView Agent

IMPORTANT: Stop the CoreView Agent Windows Service before editing the config file.

Configure gMSA in AppSettings

Locate the <appSettings> section in the config file. Add the gMSA keys inside this section, alongside other existing keys.

Example Placement:

<appSettings>
    <!-- Other existing settings... -->
    <add key="BackendApiUrl" value="https://api.4ward365.com/api/" />
    
    <!-- Add these gMSA keys: -->
    <add key="gMSAEnabled" value="true" />
    <add key="gMSAName" value="svcCVHybridMgmt" />
    <add key="gMSAImporterEnabled" value="true" />
    <add key="gMSAImporterName" value="svcCVHybridImpt" />
</appSettings>

If gMSA is not required

Set to false (or retain the defaults in the config file):

<add key="gMSAEnabled" value="false" />
<add key="gMSAImporterEnabled" value="false" />

Restart the CoreView service

After saving changes, restart the CoreView Agent Windows Service to apply the new configuration.

Summary