azure-service-fabric - 在组托管服务帐户 (gMSA) 下运行 Service Fabric 应用程序

Question

我正在测试使用 gMSA 帐户来运行 SF 应用程序，而不是 NETWORKSERVICE。

按照此处的说明进行操作:
https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-application-runas-security

使用 powershell cmdlet 在域 Controller 上创建 gMSA:

New-ADServiceAccount -name MySA$ -DnsHostName MySA.contoso -ServicePrincipalNames http/MySA.contoso -PrincipalsAllowedToRetrieveManagedPassword Node0Machine$, Node1Machine$, Node2Machine$

Install-AdServiceAccount 在每个节点上返回“未指定的错误”，但是 Test-AdServiceAccount 为 MySA$ 返回 true(以域用户身份运行 powershell 时)

ApplicationManifest.xml 有以下变化:

<Principals>
    <Users>
      <User Name="MySA" AccountType="ManagedServiceAccount" AccountName="Contoso\MySA$"/>
</Users>
</Principals>
<Policies>
    <SecurityAccessPolicies>
      <SecurityAccessPolicy ResourceRef="ConfigurationEncipherment" PrincipalRef="MySa" ResourceType="Certificate" />
    </SecurityAccessPolicies>
<DefaultRunAsPolicy UserRef="MySA"/>
</Policies>

Service Fabric 资源管理器显示每个服务的以下错误:

Error event: SourceId='System.Hosting', Property='CodePackageActivation:Code:SetupEntryPoint'.
There was an error during CodePackage activation.Service host failed to activate. Error:0x8007052e

我还尝试使用 gMSA 创建集群(我们目前正在成功使用 X509)。使用 gMSA 集群配置作为模板，它会因超时而失败(大概是“WindowsIdentities 部分不正确 - 关于此的文档似乎很少)

"security": {
    "WindowsIdentities": {
            "ClustergMSAIdentity": "MySA$@contoso",
            "ClusterSPN": "http/MySa.contoso",
            "ClientIdentities": [
                {
                    "Identity": "contoso\\MySA$",
                    "IsAdmin": true
                }
            ]
   },

Answer 1

Error:0x8007052e可能与登录失败有关。

根据 Secure a standalone cluster on Windows by using Windows security和 Connect to a secure cluster

如果您有 10 个以上的节点或可能会增长或缩小的集群。 Microsoft 强烈建议使用组托管服务帐户 (gMSA) 方法。

您还将看到:

You can establish trust in two different ways:

• Specify the domain group users that can connect.

• Specify the domain node users that can connect.

[...]

Administrators have full access to management capabilities (including read/write capabilities). Users, by default, have only read access to management capabilities (for example, query capabilities), and the ability to resolve applications and services.

您也可以在 Getting Started with Group Managed Service Accounts 上找到帮助

根据您的评论，只要您添加 gMSA到 ServiceFabricAdministrators group 一切正常，这可能是因为“管理员可以完全访问管理功能”