gmsa and Administrators group
you can try to give some permissions such as
Computer Configuration Windows Settings Security Settings
Local Policies User Rights Assignment Log on as a service
Computer Configuration Windows Settings Security Settings
Local Policies User Rights Assignment Log on as a batch job
through ther local policy editor. If you look at these groups you'll see the Administrators group already included to these local groups, and Users group(as gmsa is a usual account) is not. So if you include gmsa into these local groups, that account will get permissions to run as a service (service fabric looks like a service itself)
config for certificate (login to portal) + gmsa (server)
{
"name": "yosfcl",
"clusterConfigurationVersion": "1.0.1",
"apiVersion": "10-2017",
"nodes": [
{
"NodeName": "yv1-sf",
"NodeTypeRef": "NodeType0",
"IPAddress": "yv1-sf",
"FaultDomain": "fd:/dc1/r1",
"UpgradeDomain": "UD1"
},
{
"NodeName": "yv2-sf",
"NodeTypeRef": "NodeType0",
"IPAddress": "yv2-sf",
"FaultDomain": "fd:/dc1/r2",
"UpgradeDomain": "UD2"
},
{
"NodeName": "yv3-sf",
"NodeTypeRef": "NodeType0",
"IPAddress": "yv3-sf",
"FaultDomain": "fd:/dc1/r3",
"UpgradeDomain": "UD3"
}
],
"properties": {
"diagnosticsStore":
{
"metadata": "Please replace the diagnostics file share with an actual file share accessible from all cluster machines. For example, \\machine1\DiagnosticsStore.",
"dataDeletionAgeInDays": "21",
"storeType": "FileShare",
"connectionstring": "c:\ProgramData\SF\DiagnosticsStore"
}, "reverseProxyCertificate": {
"thumbprint": "[parameters('76************************8A2')]",
"x509StoreName": "[parameters('My')]"
},
"security": {
"ClusterCredentialType": "Windows",
"ServerCredentialType": "X509",
"WindowsIdentities": {
"ClustergMSAIdentity": "gmsaSF@domain.lan",
"ClusterSPN": "http/yosfcl.domain.lan",
"ClientIdentities": [
{
"Identity": "domain\my.name",
"IsAdmin": true
}
]
},
"CertificateInformation": {
"ServerCertificate": {
"Thumbprint": "76***********************************8A2",
"X509StoreName": "My"
},
"ReverseProxyCertificate": {
"Thumbprint": "76*************************************48A2",
"X509StoreName": "My"
},
"ClientCertificateThumbprints": [
{
"CertificateThumbprint": "94***********************************2D",
"IsAdmin": true
}
]
}
},
"nodeTypes": [
{
"name": "NodeType0",
"clientConnectionEndpointPort": "19000",
"clusterConnectionEndpointPort": "19001",
"leaseDriverEndpointPort": "19002",
"serviceConnectionEndpointPort": "19003",
"httpGatewayEndpointPort": "19080",
"reverseProxyEndpointPort": "19081",
"applicationPorts": {
"startPort": "20001",
"endPort": "20500"
},
"ephemeralPorts": {
"startPort": "20501",
"endPort": "20700"
},
"isPrimary": true
}
],
"fabricSettings": [
{
"name": "Setup",
"parameters": [
{
"name": "FabricDataRoot",
"value": "D:\SF"
},
{
"name": "FabricLogRoot",
"value": "D:\SF\Logs"
}
]
}, {
"name": "ApplicationGateway/Http",
"parameters": [
{
"name": "SecureOnlyMode",
"value": true
},
{
"name": "ApplicationCertificateValidationPolicy",
"value": "None"
}
]
}
]
} }