1

Support for Virtual Accounts and gMSAs

Feedback / Product Ideas and Feature Requests / General

Would it be possible to add support for Virtual Windows Accounts (e.g., NT SERVICE\...) and Group Managed Service Accounts (gMSA) for Canary services during installation and configuration?

Virtual accounts provide lightweight isolation without password management, and gMSAs offer secure, automated password rotation with Kerberos authentication. Currently, we’re limited to Local System or the default local user account, which works but isn’t ideal for security-focused deployments.

3 replies

null
    • smason
    • 2 days ago
    • Reported - view

    Hi ,

    We added better support for gMSA's in 25.2 and we're currently working on support for Virtual Service accounts. Maybe in the next release???

      • System Engineer | CSE ICON
      • davin_ross
      • 2 days ago
      • Reported - view

       Hi Steve! Thanks for the information. Is there any documentation on the canary website for gMSA setup following the support implementation in 25.2?

      • smason
      • 2 days ago
      • Reported - view

      More information from development...

      Sorry if my last post got your hopes up. I don't think I had all the information. "better support" just means we don't reset the service registrations and force you to set them up again every time the software is updated.

      Right now it has to be done for each service individually after the software is installed. You can't configure it during the installation process.

      The work we're doing now is to support Virtual Service Accounts as the default option; this would replace the "CanaryServiceAccount" that we currently create. Virtual accounts are similar to gMSA but they are local accounts rather than domain accounts.

Login to reply

Content aside

print this pagePrint this page
  • 1 Votes
  • 2 days agoLast active
  • 3Replies
  • 20Views
  • 3 Following