To integrate gMSA account with Workspace Environment Management, we introduce the configuration of gMSA account for Norskale Broker in the steps below:
https://docs.citrix.com/en-us/workspace-environment-management/current-release/install-and-configure/infrastructure-services.html#group-managed-service-account
However, there are several tips to make the gMSA account work as expected:
1. We need to make sure the configured gMSA account is granted with the permission of “Log on as a Service” on the WEM server.
Open Local Security Policies > Security Settings > Local Policies > User Rights Assignment > Log on as a Service, verify that the gMSA account is added in it.
2. Allow WEM servers to retrieve the password of gMSA account from AD by setting principles:
Set-ADServiceAccount [-Identity] ITFarm1 -PrincipalsAllowedToRetrieveManagedPassword Host1$,Host2$,Host3$
Example:
Set-ADServiceAccount -Identity TestGMSA -PrincipalsAllowedToRetrieveManagedPassword W2K19TEST
Additionally, we need to uncheck the setting “Enable Windows account impersonation” from WEM infrastructure service configuration utility:
