Announcing the availability of the new gMSA on AKS workshop

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

gMSA is the technology behind the support for Active Directory dependent applications to run on Kubernetes. Over time, we’ve been adding a lot of resources around it, such as PowerShell modules (to help with the configuration process), documentation, scripts, and more. The reason behind this is that on one side, gMSA is incredibly popular (of course, anyone trying to containerize a Windows app that relies on AD for authentication will use it), but also because it is somewhat complex to configure it. Setting up gMSA means you have to configure your Kubernetes cluster, the networking between the cluster and Domain Controller(s), the secret store (such as Azure Key Vault), the Domain Controller itself, and so on…


Because so many resources need to be configured, many customers have a hard time to see how gMSA actually works before doing it in production. Today, we’re glad to announce that you can now try gMSA on AKS with a guided workshop. This workshop still requires a subscription for you to use, but all the other configurations can be implemented by following the workshop’s instructions. We plan to upgrade this into a self-contained workshop in the future.


What is part of the workshop

This is an end-to-end workshop on which you can start with a net-new subscription (or an existing one, of course) and build everything from scratch. The workshop covers briefly what gMSA is and how it’s used.

The workshop has the following objectives:

  • Provide an overview of gMSA on AKS, necessary components, and how to set up an environment for a Windows app that requires Active Directory authentication.
  • Understand how the AksGMSA PowerShell module helps in the process of configuring gMSA on AKS.
  • Understand the flow of configuring gMSA on AKS and how the multiple resources interact with each other.

The workshop is divided into seven exercises:


Exercise 01 - Spinning up Azure environment

Here you will deploy the base services to get started. You will use a script to deploy the Resource Group, the Virtual Network and Subnet, the AKS cluster and the Windows node pool. The script will also deploy a VM to be used as domain controller.


Exercise 2 - Configure Active Directory

Here we will prepare the VM and the Active Directory domain to use gMSA. A script is provided to deploy AD into the VM.


Exercise 3 - Enable Azure Bastion to RDP into DC01 VM and take note of additional resources

To reduce costs, we will only use one VM in this workshop, so we will also use this VM (which is our Domain Controller) for other purposes – which is not recommended in production. To securely access the VM, we will enable Azure Bastion.


Exercise 4 - Configure the AksGMSA PowerShell module on the DC01 VM

This is where most of the gMSA configuration is passed to the AksGMSA PowerShell module on the DC01 VM. The provided script and module will set up gMSA on AKS later and in this exercise, we pass on the configuration we want to be used later.


Exercise 5 - Deploy gMSA on AKS and configure AD and Azure resources

This where the configuration for gMSA on AKS happens. Using the information provided before, we run the commands for the AksGMSA module and set up the gMSA on AKS, configure AD, create the Azure Key Vault, Managed Identity, and all other configurations.


Exercise 6 - Validate the deployment of gMSA on AKS

Once gMSA on AKS has been deployed and configured, you can use the AksGMSA module to validate the configuration and communication between the AKS cluster and the AD domain. This exercise uses the native commands on the module to validate everything is in place.


Exercise 7 - Deploy IIS with Windows authentication enabled

Validating that gMSA has been deployed correctly is not as cool as seeing an application working properly. In this exercise, we deployed a very simple, sample application to see the authentication actually happening. We deploy a Windows pod to the AKS cluster, with an IIS website setup to use Windows authentication and then open the website to see the authentication pop-up, provide the username and password, and see the website open.


At the end, there’s an exercise to clean up the environment and ensure you’re not being charged for this any further.

Hopefully this workshop provides a good overview of how gMSA on AKS works. Feel free to go wild and try different things, try your own app, your own set up. And let us know what you think and how we can improve not only the workshop itself but the whole gMSA on AKS experience.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.