How can I use managed service account for ldap login
I am running TeamCity services under a gMSA. Everything is golden in regards to deployment and running everything at this point. All kinks there have been smoothed out. The last bit that is needed, is that I am currently using a hard coded domain admin account for ldap queries; my own account. I want to remove this. I wish to use the same gMSA that is being used by everything else and maybe use NTLM to passthrough the credentials. I do not want to create a different account for this purpose, as that would defeat of having created the gMSA in the first place. Is this possible? I have so far tried by commenting out "java.naming.security.principal" and "java.naming.security.credentials" and uncommenting "java.naming.security.authentication=simple" and changing it to "NTLM". I figured to give that a try as that is a setting similar to one that I had to change for msdeploy, so I can get that working with the gMSA.
Please sign in to leave a comment.
Hello Jonathan,
At the moment it's not supported, please vote for the request: https://youtrack.jetbrains.com/issue/TW-19552.
Please note that credentials used in ldap-config.properties files can be scrambled, see https://confluence.jetbrains.com/display/TCD10/LDAP+Integration#LDAPIntegration-Scramblingcredentialsinldap-config.propertiesfile.
I appreciate your prompt response!!! Yes, I have been using the scrambled credentials feature. The issue is not so much can they see my credentials, but should I be using MY account for other users. If the project is moved over to someone else or I leave the company, it will break things. Trying to avoid that as a whole. We do have a service account available that should have permissions to access the Active Directory and will also have access to query the LDAP. I will be using that in the meantime. I just wanted to also see if I could use the same gMSA that I've been using for the TeamCity services, msbuild and msdeploy. Thank you.