Skip to content

Logging in as a Managed Account

Reflection for Secure IT Windows Server supports login as Group Managed Service Accounts (gMSA) with public key authentication. By configuring and setting up gMSA for Reflection for Secure IT Windows Server the console can access domain resources using a managed password.

Before configuring the use of a Group Managed Service Account, you will first have to create and configure the accounts in the desired domain. Refer to Setting up a Group Managed Service Account (gMSA).

Configure a folder for the public key

First, provide the Group Managed Service Account with a folder that contains the public key. For user accounts, the folder containing the public key is typically located in that user's profile directory, in a .ssh2 directory.

Normally, this profile directory is created by first logging in using a username/password. Most SSH clients have a utility to generate and upload key material.

For Group Managed Service Accounts (gMSA), we cannot log in using a password, so we have to configure the public key folder explicitly.

  1. Prepare a folder that contains the necessary server files for public key authentication.

    You can generate a key pair specific for this account, or you can temporarily point to an .ssh2 folder of a normal user, for example "testuser".

  2. In the Configuration tab, navigate to Subconfiguration > User configuration > and select Add.

    A popup window will appear.

  3. Select domain and enter the domain name of the Group Managed Service Account, for example "domain.com".

  4. In the User name field, enter the name of the gMSA followed by a dollar sign ($), for example "rsitgmsa$".

  5. In the side tree view on the left side, select Authentication > public key.

  6. In the User key directory the default value is %D\.ssh2. Change this value to the folder that you have prepared, for example C:\Users\testuser\.ssh2.

  7. Read the warning that is given and select Yes to proceed.

    Save the configuration.

Now you can connect using the public key authentication using the key you generated or the “testuser” key. Include the trailing dollar sign in the user name when you sign in, for example: ssh rsitgmsa$@rsitserver.domain.com.

Note

After you have successfully logged in for the first time, the Group Managed Service Account will now have a local profile directory. You can switch back to using the regular location for the public key.

You can also keep the non-default folder that you created. Make sure that access to this folder is properly restricted.

Allow the managed password to be used

  1. In the credential cache, select Add.

    A popup window will appear.

  2. In the Add Credential popup, Enter the name of the Group Managed Service Account, for example domain.com\rsitgmsa$.

    Leave the password empty.

  3. In the popup, check the box for Cached passwords for client access.

    Select OK.

    Note

    The Test button cannot be used for Group Managed Service Accounts. The Reflection for Secure IT Windows Server Console does not have the required permission to retrieve the password.

  4. To allow the managed password to be used, you must also select the check box Use cached passwords to give users access to domain resources.

  5. When choosing a user for the share, enable the Use the client user account... radio button.

    Now you can configure domain access to SFTP Directories and Mapped drives that exist in your domain.