Login

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Time to support (Group)Managed Service Accounts (gMSA)

Votes:

16

While Security is getting more and more Important nowadays, it seems there is no way to use gMSA in PRTG. First problem is that Kerberos isn't supported with all delivered sensors (for example WMI seems to rely on NTLM) Second Problem and Bug BTW: Windows Credentials in PRTG are allowed to be saved without Password, but then you get an error when Adding Sensors which rely on WinCreds, all Sensors are greyed out and it says "these Sensors need valid Windows Credentials".

I think a Windows only product should support all Authentication Types which also the Windows Host Supports, because no one would lower Security on Systems only to get the Monitoring in PRTG running!

PLease think about changing the Logon/Authentication Process, so it is independent from the choosen sensor type.

Without using a domainadmin or globally available local admin which isn't security best practice it's not possible to monitor hundreds of servers right now, so again please add Support for gMSA.

And Finally please give your customers a ability to post development request which can be votet, here inside the knowledgebase is not the best place, im pretty sure you will get lots of valuable suggestions. (lol, I think there are more urgent requests then the "new alertmail design" every few releases ;-)

authetication gmsa logon powershell wmi

Created on Oct 10, 2016 2:26:47 PM

18 Replies

Votes:

0

Dear Daniel

Thank you for your feedback. While we are planning to work on some Windows sensors in the future, the current WMI authentication options work for most WMI users. We did not test gMSA logins for WMI sensors, because the demand is still too low.

I agree, entering and changing individual local administrator credentials for the server is quite some work and using a domain admin could be undesirable. For the time being though, these will be the options we officially support.

Please understand that we don't want have votable requests, as they could create the false impression that highly voted requests will actually be prioritized. We have an internal road map and work on features which we deem important.

We keep an eye on the knowledge base, organize feedback given in support tickets and talk with PRTG users online, and in person. We are happy that we get so many good ideas and useful suggestions. Many PRTG features are based on the feedback of users. Much of the polish following the initial implementation is based on feedback.

Implementing a feature can take more time than expected, delaying further developments. That is why we don't publish roadmaps or wanting to have an actual vote implemented, because we rather don't want to create any false hope.

Created on Oct 11, 2016 1:57:24 PM by Arne Seifert [Paessler Support]

Votes:

2

Hello PRTG Support team,

I believe this question was raised on October 2016. Now in 2020 having gMSA (at least for "PRTG active directory integration", not for WMI sensors) is a baseline practice almost everywhere, specially in this era that everything is SSO (either shibboleth or CAS) aware.

Would you please reconsider supporting gMSA in your roadmap more seriously? It gradually became very difficult to convince IT leaders and decision makers to use a tool that does not support default and baseline functionality best practices. I love PRTG and I have been promoting and convincing the management to buy it wherever I go, but you need to help us (Sys/DevOps Admins/Engineers) out on this one and couple of other baseline functionalities like supporting of proper Role Based Access Control (RBAC) to support nested group membership.

Thanks, Shahed

Created on Jun 1, 2020 11:19:19 PM

Votes:

0

Hi Shahed,

this feature is still on our roadmap and is planned to be released for the end of the year, at the latest.

Please take a look at our public roadmap, which is updated regularly: https://www.paessler.com/prtg/roadmap

Kind regards,
Matthias Kupfer - Team Tech-Support

Created on Jun 2, 2020 7:56:18 AM by Matthias Kupfer [Paessler Support]

Votes:

0

I have also been waiting for this feature for a very long time and I also urgently request support for Active Directory Group Managed Service Accounts. PRTG is our last system critical system that still does not support gMSA. For monitoring PRTG accounts have many and extensive rights. To effectively prevent pass-the-hash attacks on service accounts in an AD environment, gMSAs are mandatory due to the automated and regular password changes.

Please check again if the gMSA feature is really on your roadmap. I cannot find any reference to Group Managed Service Accounts under the given URL.

Created on Jul 7, 2020 11:08:09 AM

Votes:

0

Hello,

I think my last answer was misleading here. It was regarding, that we plan "SSO and MFA over Azure AD" which seemingly does not mean that this will include gMSA. I am sorry for that.

Kind regards,
Matthias Kupfer - Team Tech support

Created on Jul 8, 2020 8:01:58 AM by Matthias Kupfer [Paessler Support]

Votes:

0

Here in the forum, the support of Group Managed Service Accounts has already been requested several times in different posts in recent years. Microsoft has already released a first version of Managed Service Accounts (MSA) with Windows Server 2008 and extended it with Server Version 2012 as Group Managed Service Accounts (gMSA). There are really some important security reasons for using gMSA. And as Shahed wrote above, it is hard to communicate why PRTG does not support these long-standing best practices security recommendations. In my view, it is therefore urgent to discuss once again what the reasons for not supporting gMSA are.

Created on Jul 8, 2020 11:17:44 AM

Votes:

5

Add my vote here....unacceptable PRTG doesn't support GSMAs yet.

Created on Jul 14, 2020 12:34:41 PM

Votes:

0

Hi, Paessler-Team. This is an absolute nogo. gMSA was released a long time ago. PRTG is the perfect scenario for a service account: high privilged domainadmin with static password and delegable rights. This is a really high risk for a AD-domain but all could be solved with gMSA. So why don't you even think about to integrate it? I think that's grossly negligent.

Created on Feb 19, 2021 12:11:14 PM

Votes:

0

As convenient as PRTG is, security comes first. Unless PRTG supports gMSA by the end of this year, we will unfortunately have to say goodbye to the tool :(

Created on Apr 22, 2021 5:56:20 AM

Votes:

0

We are moving almost all of our back end access to GMSAs. Not having this feature is a dealbreaker.

Created on Sep 16, 2021 9:00:38 PM

Votes:

0

We're currently evaluating PRTG for us and our clients. Does Paessler have any plans to support group managed service accounts? If not, this is a deal breaker.

Created on Dec 13, 2021 2:20:16 AM

Votes:

0

Hello Justin,

Thank you for your message.

Regarding the GMSA, I'm afraid that I could not find any official request about it in the knowledge base and therefore it hasn't been reviewed by our product owners yet. Can you please open that request by following our guideline so I can push it internally.

Regards.

Created on Dec 15, 2021 2:29:46 PM by Florian Lesage [Paessler Support]

Votes:

0

Is there any update regarding Paessler adding gmsa support for all of PRTG?

Created on Aug 17, 2022 8:38:29 PM

Votes:

0

Hey, We currently cannot give you an update as it is under review.

Created on Aug 23, 2022 9:35:01 AM by Marijan Horsky [Paessler Support]

Votes:

0

Hi, it is 2023 already and I still don't see this feature available! Do you have any updates for us? Thank you

Created on Jan 24, 2023 11:02:19 AM

Votes:

0

Hey Krystian,
The checkup takes longer than expected due to other issue which had a higher prioritization. Therefore, we currently cannot provide you with updates.

Created on Jan 27, 2023 8:44:00 AM by Marijan Horsky [Paessler Support]

Votes:

2

For over 7 years now I have been hoping that someone from the PRTG product or development team would finally take a closer look at this very important issue. We are talking about supporting a very important security feature that Windows has been providing for more than 12 years to protect service accounts. We are not talking about a new PRTG feature or a new PRTG sensor. We are talking about protecting our administrative identities!

I believe that the great importance and benefits of the gMSA security feature was never really understood by the PRTG product or development team. By the way, if you search for "managed service account" and "gMSA" you will already find some requests to Paessler. But also the regular requests from different members in this discussion since 2016 should make clear that the topic has importance. I also don't really understand what the technical effort is in the implementation.

We use PRTG with several thousand sensors. However, PRTG is always under very skeptical observation in terms of possible security risks due to the lack of gMSA support.

So, how could we move forward on this point?

Created on Apr 13, 2023 4:58:03 PM

Votes:

1

I 100% agree with J8r We are in exactly the same boat. Running about 10K sensors, PRTG is on the worry list due to the lack of gMSA support.

Created on Apr 14, 2023 2:29:38 PM

Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.