gMSA account for AD - SailPoint IIQ

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Hi do we have a documentation specific to using gMSA as a Service Account for SailPoint IIQ 8.5. I have following link specific for SailPoint ISC: Using gMSA as a Service Account

How different is the process for similar set up specific to SailPoint IIQ.:

image
image1608×919 59.3 KB

I have a few questions as follows:

  1. Should IQService user also be set to gMSA account? Is IQService password necessary for gMSA or be left empty?

  2. For Forest and Domain configuration, it seems we just need to check the “Use gMSA as a Service Account“ check box and provide gMSA account. Should the Authentication and Security be changed to Strong SASL from Simple and also check the TLS?

  3. Is it just the IQService Logon user and credential that needs to be changed in IQService server? any permission that we need to add?

2

Hi @rabshrestha - it looks like the link you provided is from IIQ 8.4. The documentation for IIQ 8.5 can be found here.

3

The new link only has configuration suggested for ISC as below:

image
image941×766 13.9 KB

so my question is for IIQ configuration page below:
image
image1608×919 59.5 KB

4

I believe that is a typo - ISC would not use XML here. It would use JSON

see the image below for a screenshot from the ISC docs

Have you tried following the steps listed?

image
image2372×2132 354 KB

5

we have our AD instance domain settings set as follows:

image
image1885×1009 124 KB

A few errors we have encountered are as follows:

  1. Detected password less authentication, but failed to retrieve passwords with error: No RPC service available when IQService Configuration is set empty.

image
image1799×880 50 KB

2.Detected password less authentication, but failed to retrieve passwords with error: Connection reset

image
image1837×906 56 KB

We completed all the steps until 6 as per the document for **Using gMSA as a Service Account.
**
However, the document misses on IQService Configuration in UI .

6

@rabshrestha

  1. It is not mandatory to use gMSA for IQService but it is allowed. Password field can be left blank for gMSA.
  2. Make sure gMSA granted with Log on as a service right in the Local Security Policy of the IQService server.
  3. Since you have issue with simple authentication try with SASL.
  4. As per the official document, no need to select TLS when using gMSA.

image

Thanks,

Sivaprakash.