以组托管服务帐户身份运行服务Run a service as a group Managed Service Account
在 Windows Server 独立群集上,可以使用 RunAs 策略以组托管服务帐户 (gMSA) 的身份来运行服务。On a Windows Server standalone cluster, you can run a service as a group managed service account (gMSA) using a RunAs policy. 默认情况下,Service Fabric 应用程序在运行 Fabric.exe
进程的帐户之下运行。By default, Service Fabric applications run under the account that the Fabric.exe
process runs under. 即使在共享托管环境中以不同帐户身份运行应用程序,也可确保运行的应用程序彼此更安全。Running applications under different accounts, even in a shared hosted environment, makes them more secure from one another. 使用 gMSA 时,没有密码或加密的密码存储在应用程序清单中。By using a gMSA, there is no password or encrypted password stored in the application manifest. 还可以采用 Active Directory 用户或组身份运行服务。You can also run a service as an Active Directory user or group.
以下示例演示如何创建一个名为 svc-Test$ 的 gMSA 帐户、如何将该托管服务帐户部署到群集节点,以及如何配置用户主体。The following example shows how to create a gMSA account called svc-Test$ , how to deploy that managed service account to the cluster nodes, and how to configure the user principal.
备注
将 gMSA 与独立 Service Fabric 群集配合使用需要你所在域中的本地 Active Directory(而不是 Azure Active Directory (Azure AD))。Using a gMSA with a standalone Service Fabric cluster requires Active Directory on-premises within your domain (rather than Azure Active Directory (Azure AD)).
先决条件:Pre-requisites:
- 域需要 KDS 根密钥。The domain needs a KDS root key.
- 域中必须至少有一个 Windows Server 2012(或 R2)DC。There must be at least one Windows Server 2012 (or R2) DC in the domain.
让 Active Directory 域管理员使用
New-ADServiceAccount
cmdlet 创建组托管服务帐户,并确保PrincipalsAllowedToRetrieveManagedPassword
包括所有 Service Fabric 群集节点。Have an Active Directory domain administrator create a group-managed service account using theNew-ADServiceAccount
cmdlet and ensure that thePrincipalsAllowedToRetrieveManagedPassword
includes all of the Service Fabric cluster nodes.AccountName
、DnsHostName
和ServicePrincipalName
必须是唯一的。AccountName
,DnsHostName
, andServicePrincipalName
must be unique.New-ADServiceAccount -name svc-Test$ -DnsHostName svc-test.contoso.com -ServicePrincipalNames http/svc-test.contoso.com -PrincipalsAllowedToRetrieveManagedPassword SfNode0$,SfNode1$,SfNode2$,SfNode3$,SfNode4$
在每个 Service Fabric 群集节点(例如,
SfNode0$,SfNode1$,SfNode2$,SfNode3$,SfNode4$
)上,安装并测试 gMSA。On each of the Service Fabric cluster nodes (for example,SfNode0$,SfNode1$,SfNode2$,SfNode3$,SfNode4$
), install and test the gMSA.Add-WindowsFeature RSAT-AD-PowerShell Install-AdServiceAccount svc-Test$ Test-AdServiceAccount svc-Test$
配置用户主体,并配置
RunAsPolicy
以引用用户。Configure the User principal, and configure theRunAsPolicy
to reference the User.<?xml version="1.0" encoding="utf-8"?> <ApplicationManifest xmlns:xsd="https://www.w3.org/2001/XMLSchema" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" ApplicationTypeName="MyApplicationType" ApplicationTypeVersion="1.0.0" xmlns="http://schemas.microsoft.com/2011/01/fabric"> <ServiceManifestImport> <ServiceManifestRef ServiceManifestName="MyServiceTypePkg" ServiceManifestVersion="1.0.0" /> <ConfigOverrides /> <Policies> <RunAsPolicy CodePackageRef="Code" UserRef="DomaingMSA"/> </Policies> </ServiceManifestImport> <Principals> <Users> <User Name="DomaingMSA" AccountType="ManagedServiceAccount" AccountName="domain\svc-Test$"/> </Users> </Principals> </ApplicationManifest>
备注
如果将 RunAs 策略应用到服务,且服务清单使用 HTTP 协议声明终结点资源,则必须指定 SecurityAccessPolicy 。If you apply a RunAs policy to a service and the service manifest declares endpoint resources with the HTTP protocol, you must specify a SecurityAccessPolicy. 有关详细信息,请参阅为 HTTP 和 HTTPS 终结点分配安全访问策略。For more information, see Assign a security access policy for HTTP and HTTPS endpoints.
以下文章会指导你完成后续步骤:The following articles will guide you through next steps: