Configure gMSA Permissions for Secure SQL Monitoring in Site24x7

Configure gMSA Permissions for Secure SQL Monitoring in Site24x7

The Site24x7 App Monitoring Agent can be configured to monitor a Microsoft SQL Server instance. During setup via the Agent Manager command-line interface, the agent's Windows service logon account must have the appropriate domain credentials to authenticate against the remote SQL Server host.
This document details every permission and privilege required when a Group Managed Service Account (gMSA) is used as the service logon identity for the Site24x7 App Monitoring Agent.

What is a gMSA and why use it?

A Group Managed Service Account (gMSA) is a managed domain account in Active Directory that provides automatic password management, eliminating the need to manually rotate service account passwords. Using a gMSA for the Site24x7 agent service offers the following security benefits:
  1. Passwords are managed automatically by Active Directory (rotated every 30 days by default).
  2. The account cannot be used for interactive logon, reducing the attack surface.
  3. Access can be restricted to specific hosts in Active Directory.
  4. Auditing and privilege assignment are centrally managed via Group Policy.

Agent setup workflow

The following steps describes the setup flow as captured in the developer reference. Each step identifies where the service account credential is required.
  1. Open Agent Manager: Right-click the Site24x7 Agent Tray Icon and select Open Agent Manager. This launches the command-line management interface at:
    C:\Program Files (x86)\Site24x7\WinAgent\monitoring\bin\AgentManager.exe
  2. Run the add_instance command: Type sqlserver add_instance to initiate the remote SQL Server instance configuration wizard.
  3. Select SQL Server type: Choose option 2: Remote SQL — SQL Server installed in another machine.
  4. Select authentication type: Choose option 1: Windows Authentication. The agent uses the service logon account's domain credentials to authenticate.
  5. Change service logon user: When prompted "Do you need to change the service Log On user to a domain account with access to SQL Server instance? (Y/N)", enter Y and provide the gMSA credentials.
  6. Confirm instance details: Provide the Host Name and Instance Name (enter SQLSERVER for the default instance). The agent validates and adds the SQL Server Database Monitor.

NotesTo update the service account later (if required):
Use the command Update APPMonitoring User (case-sensitive) to change the service logon account at any time after initial setup.