FAQ: Monitoring Certificates for Group Managed Service Accounts (gMSA)
Common questions about monitoring certificates for Group Managed Service Accounts with the Nodinite Windows Server Monitoring Agent.
Why can't the monitoring agent impersonate gMSA accounts to access their certificate stores?
Group Managed Service Accounts (gMSAs) are designed with enhanced security that makes password-based impersonation impossible:
Security Architecture Limitations
Passwordless Authentication
- gMSAs use automatically managed, complex passwords that rotate every 30 days
- These passwords are never exposed to administrators or applications
- Passwords are managed entirely by Active Directory and the Local Security Authority (LSA)
Service Context Only
- gMSAs authenticate using their computer account credentials through Kerberos
- They cannot be used for interactive logon or standard Windows impersonation (LogonUser API)
- The monitoring agent requires the LogonUser API to access other users' certificate stores
Certificate Store Access Requirements
Windows certificate stores are user-profile specific. To access a user's certificate store, you must either:
- Run as that user - the process identity must be the gMSA
- Impersonate with valid credentials - impossible for gMSA (no password available)
Security by Design
This limitation is intentional. gMSAs prevent privilege escalation and credential theft by ensuring that their credentials cannot be extracted, shared, or misused.
Solution: Dedicated Agent Instance
To monitor certificates for a gMSA account, install a dedicated instance of the monitoring agent configured to run as that gMSA account:
- Install separate agent instance - Deploy a dedicated Nodinite Windows Server Monitoring Agent on the same server or a different server
- Configure service identity - Set the monitoring agent Windows service to run as the gMSA account
- Direct access - The agent will have direct access to its own (the gMSA's) Current User certificate store without requiring impersonation
- Monitor configuration - Configure certificate monitoring to monitor the "Current User" store location
Implementation Steps
| Step | Action | Details |
|---|---|---|
| 1. Install Agent | Deploy dedicated agent instance | Can be on same server or separate server with access to gMSA |
| 2. Service Configuration | Configure Windows service identity | Set agent service to run as gMSA account (DOMAIN\gMSA$) |
| 3. Certificate Monitoring | Enable Current User monitoring | Agent monitors its own certificate store as the gMSA |
| 4. Verification | Test certificate detection | Verify gMSA certificates appear in Current User category |
Benefits of This Approach
- Security compliant - Respects gMSA security design
- No credential exposure - No passwords stored or managed
- Direct access - No impersonation required
- Full monitoring - All certificate store features available
- Scalable - Can monitor multiple gMSAs with separate agent instances
Important Considerations
Important
gMSA Prerequisites: Ensure the gMSA account has the necessary permissions to:
- Run as a service on the target server
- Access network resources if monitoring remote resources
- Read its own certificate stores
Note
Licensing: Each monitoring agent instance requires appropriate Nodinite licensing. Contact support for guidance on multi-instance deployments.
Can I monitor multiple gMSAs from a single agent?
No - Due to the security architecture of gMSAs, each gMSA requires its own dedicated agent instance. You cannot configure a single agent to impersonate multiple gMSAs.
Workaround Options
- Deploy multiple agent instances (one per gMSA)
- Use regular service accounts instead of gMSAs if impersonation is required
- Centralize certificate management to reduce the number of accounts needing monitoring
What about Local Machine certificates used by gMSAs?
Local Machine certificates are accessible through standard impersonation or by running the agent with appropriate permissions. The gMSA limitation only affects Current User certificate stores that are profile-specific to the gMSA account.
Monitoring Approach
- Local Machine store - Monitor with any agent instance that has local administrator privileges
- Current User store - Requires dedicated agent running as the gMSA
Next Step
Install Windows Server Monitoring Agent
Configuration
Certificate Monitoring