This questions is related to : Group Managed Service Accounts
Use Case:
We have customers who have configured GMSA Account for running services and connecting to SQL Sever, We also have a Java Based Authentication Facade that connects to Active Directory to Search User/Authenticate Users.
Customer requesting that we use GMSA Account to do LDAP Bind when connecting and searching for users in Active Directory instead of currently provisioned Service Account and Password
to do LDAP Bind.
Question/Assistance/Help:
Can GMSA Account be used in Java Application? i.e can we use GMSA Account to do a LDAP Bind a Search from Java.
I tried a C# utility which requests GMSA password however our Java Bind does not work with the GMSA Account and Retrieved GMSA Password.
We used steps similar to pointed out in dsinternals.com - retrieving-cleartext-gmsa-passwords-from-active-directory to get GMSA Password.
A test C# program can retrieve GMSA Password and can bind to LDAP and Search Users using GMSA Account and GMSA Password - All running on the same machine which is permissioned to
retrieve GMSA Password as per GMSA requirements.
However using same GMSA Account and Retrieved GMSA Password does not work with Java - Simple Bind and also Bind via Kerberos GSSAPI
Again running on the same machine which is permissioned to retrieve GMSA Password.
We get the following error:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 ]
Indicating credential is invalid
Any pointers much appreciated - Thank you.