CoreView Hybrid Connector: Configure gMSA for Kerberos (Implementation / Sysadmin / Helpdesk Guide)

Overview

This guide explains how to create and use Group Managed Service Accounts (gMSAs) for the CoreView Hybrid Connector, which runs in Docker containers that are not domain-joined. Using gMSA can enhance security and enable Kerberos authentication without managing service account passwords manually.

CoreView Hybrid Connector uses two containers:

• Management actions container (runs management actions)
• Importer container (runs on a schedule: activates every 6 hours, imports objects, then shuts down)

Important: To avoid Kerberos authentication conflicts when both containers are active, consider creating two distinct gMSA accounts—one for management actions and another for imports.

Table of Contents

1. Prerequisites
2. Quick Setup (Automation Script)
3. Step 1 — Check/Create the KDS Root Key
4. Step 2 — Create a Security Group for Host Authorization
5. Step 3 — Create the gMSA Accounts
6. Step 4 — (Optional) Create a Standard User Account for Secret Store Usage
7. Step 5 — Add Container Hosts to the Security Group
8. Step 6 — Create Credential Specs (CredSpec)
9. Step 7 — Test the gMSA Accounts
10. Step 8 — Configure CoreView Hybrid Connector to Use gMSA
11. Summary

Prerequisites

• Active Directory PowerShell module available (for New-ADServiceAccount, New-ADGroup, etc.)
• Rights to create AD groups and gMSAs
• CoreView Hybrid Connector version 1.0.6 or later (required for gMSA configuration support)
• You know:
• The CoreView machine name (computer name only — not the FQDN) that will run the Docker containers
• Your domain naming (example values used below)

Quick Setup

You can automate Steps 1 through 7 using the provided PowerShell script.

Usage: Run the script in PowerShell as an Administrator. It will prompt you for your Domain, NetBIOS name, and the Docker Host computer name.

IMPORTANT: Replace placeholders with your environment values.

• Replace WebApp01 and contoso.com with your own gMSA and domain names, respectively. (added for clarity: your draft calls this out as a global note, so treat all sample names as placeholders)
• Replace example gMSA names, SPNs, and DNS hostnames with your actual naming standard.

Step 1 — Check/Create the KDS Root Key

gMSAs require a KDS root key in the domain.

Check if the KDS root key already exists

Get-KdsRootKey

If no key exists, create one

Add-KdsRootKey -EffectiveImmediately

Step 2 — Create a Security Group for Host Authorization

Create a security group to control which computers/hosts are allowed to retrieve the managed password.

New-ADGroup -Name "CVHybridgMSA" -SamAccountName "CVHybridgMSA" -GroupScope DomainLocal

Step 3 — Create the gMSA Accounts

Create one gMSA for management actions, and (optionally) a second gMSA for imports to prevent conflicts.

Choose the -DnsHostName value (gMSA FQDN)

For -DnsHostName, use the gMSA’s FQDN (fully qualified domain name).

Example:

• svcCVHybridMgmt.contoso.com

Choose the -ServicePrincipalNames prefix (Pre-Windows 2000 / NetBIOS domain name)

For -ServicePrincipalNames, the left-hand portion before the slash should be your Pre-Windows 2000 domain name (also called the NetBIOS domain name).

Example:

• If your AD domain is contoso.com, the Pre-Windows 2000 (NetBIOS) domain name might be CONTOSO.
• Example SPNs:
• CONTOSO/svcCVHybridMgmt
• CONTOSO/svcCVHybridImpt

Create the gMSAs

New-ADServiceAccount -Name "svcCVHybridMgmt" -DnsHostName "gmsa_fqdn" -ServicePrincipalNames "PREWIN2000DOMAIN/svcCVHybridMgmt" -PrincipalsAllowedToRetrieveManagedPassword "CVHybridgMSA"

New-ADServiceAccount -Name "svcCVHybridImpt" -DnsHostName "gmsa_fqdn" -ServicePrincipalNames "PREWIN2000DOMAIN/svcCVHybridImpt" -PrincipalsAllowedToRetrieveManagedPassword "CVHybridgMSA"

Example (replace with your real values):

New-ADServiceAccount -Name "svcCVHybridMgmt" -DnsHostName "svcCVHybridMgmt.contoso.com" -ServicePrincipalNames "CONTOSO/svcCVHybridMgmt" -PrincipalsAllowedToRetrieveManagedPassword "CVHybridgMSA"

New-ADServiceAccount -Name "svcCVHybridImpt" -DnsHostName "svcCVHybridImpt.contoso.com" -ServicePrincipalNames "CONTOSO/svcCVHybridImpt" -PrincipalsAllowedToRetrieveManagedPassword "CVHybridgMSA"

Note: The CoreView Hybrid Connector uses two Docker containers. If you assign a gMSA to both the management and importer containers, using two separate gMSAs can help avoid Kerberos authentication conflicts when both containers are active.

Step 4 — (Optional) Create a Standard User Account for Secret Store Usage

This standard user account’s credentials must be stored in a secret store and retrieved by the ccg.exe hosted plug-in to retrieve the gMSA password.

WARNING: Use a unique username and a random, long, machine-generated password.

Example (commented in the draft):

#New-ADUser -Name "StandardUser01" -AccountPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" -Force) -Enabled 1

(added for clarity) Keep this account’s credentials protected and managed according to your organization’s credential storage policy.

Step 5 — Add Container Hosts to the Security Group

Add the CoreView machine (computer name only — not the FQDN) to the group allowed to retrieve gMSA passwords.

Add-ADGroupMember -Identity "CVHybridgMSA" -Members "CV_MACHINE_NAME"

Example (replace with your CoreView server name):

Add-ADGroupMember -Identity "CVHybridgMSA" -Members "WebApp01"

Step 6 — Create Credential Specs (CredSpec)

Run these commands on the CoreView Hybrid Connector server (the Docker host machine).

Install the CredentialSpec module and generate Credential Spec files for the gMSA accounts.

Install-Module CredentialSpec
New-CredentialSpec -AccountName svcCVHybridMgmt
New-CredentialSpec -AccountName svcCVHybridImpt

Credential Spec files are stored in:

C:\ProgramData\docker\credentialspecs

Optional: Create one Credential Spec including additional gMSA accounts

If you run a service/process as a secondary gMSA in the container, create a credential spec using -AdditionalAccounts:

#New-CredentialSpec -AccountName svcCVHybridMgmt -AdditionalAccounts svcCVHybridImpt

Important: Rename the Credential Spec Files

After generating the credential spec files, you must rename them by removing the underscore (_) and everything that comes before it.

Example:

• miannellolab_svcchybridimpt.json → rename to → svcchybridimpt.json
• miannellolab_svcchybridmgmt.json → rename to → svcchybridmgmt.json

The final filename should only contain the gMSA account name (without any prefix or underscore).

Step 7 — Test the gMSA Accounts

Validate that each gMSA can be used successfully.

Test-ADServiceAccount svcCVHybridMgmt
Test-ADServiceAccount svcCVHybridImpt

Step 8 — Configure CoreView Hybrid Connector to Use gMSA

After creating the gMSA accounts, configure them in the CoreView Hybrid Connector settings file:

• File:

Forward365.Service.PowershellService.Agent.exe.config

• Location:

C:\Program Files (x86)\CoreView Agent

IMPORTANT: Stop the CoreView Agent Windows Service before editing the config file.

Configure gMSA in AppSettings

Locate the <appSettings> section in the config file. Add the gMSA keys inside this section, alongside other existing keys.

Example Placement:

<appSettings>
    <!-- Other existing settings... -->
    <add key="BackendApiUrl" value="https://api.4ward365.com/api/" />
    
    <!-- Edit/Add these gMSA keys: -->
    <add key="gMSAEnabled" value="true" />
    <add key="gMSAName" value="svcCVHybridMgmt" />
    <add key="gMSAImporterEnabled" value="true" />
    <add key="gMSAImporterName" value="svcCVHybridImpt" />
</appSettings>

If gMSA is not required

Set to false (or retain the defaults in the config file):

<add key="gMSAEnabled" value="false" />
<add key="gMSAImporterEnabled" value="false" />

Restart the CoreView service

After saving changes, restart the CoreView Agent Windows Service to apply the new configuration.

Summary

• gMSA enables multiple computers to share a service identity without exposing or managing passwords.
• For CoreView Hybrid Connector (Docker, non-domain-joined), gMSA can improve security using Kerberos.
• Create a KDS root key (if missing), a security group, then create one or two gMSAs (Mgmt + Importer recommended to avoid conflicts).
• Use your gMSA FQDN for -DnsHostName and your Pre-Windows 2000 (NetBIOS) domain name for the SPN prefix.
• Add the CoreView machine name (not FQDN) to the group, generate Credential Specs, and test the gMSAs.
• Update Forward365.Service.PowershellService.Agent.exe.config under C:\Program Files (x86)\CoreView Agent, then restart the CoreView Agent Windows Service.