I am building a .NET 6 application in C# using Visual Studio 2022. The application has a worker service that runs a console application. A Group Managed Service Account (gMSA) has been created for me and I can successfully install the service (using PowerShell) under the gMSA credentials on my local PC as well as a staging server. The gMSA passes Active Directory credentials from the service context to my application and works correctly. However, I do not have a way to debug my application using the gMSA account on my local PC.
Using a container or Azure is not an option and because this is a console application, an IIS-based solution is not possible either. I initially thought I would use runas to log into Visual Studio 2022 as the gMSA, but learned that runas would not work with a gMSA and that the preferred method to log into an application as a gMSA would be to use PsExec (64-bit version).
I attempted to do this, but was only able to log in via a command prompt as "nt authority\system" using
C:\psexec\PSExec64.exe -s cmd.exe
When I would attempt to log into the gMSA using
C:\psexec\PSExec64.exe \\local_pc\c$ -i -u gMSA_username -p ~ cmd.exe
no error message was displayed, but also no Microsoft copyright message (which is what is displayed when the command is successful). This seems to suggest the command failed in a way that could not be reflected in an error message. (It is worth mentioning that I also tried using both commands to open up a PSExec pipe and then connect using a gMSA, but I could not get that process to work.)
Adding to this issue is that Visual Studio 2022 no longer offers the "Start external program" functionality under the Debug section of a project's properties. So even if I was able to run a command prompt under a gMSA, I do not know how I could use that knowledge to log into Visual Studio under the gMSA credentials.
I would like to know how to debug my console application running as a service in Visual Studio 2022 using a gMSA. I am willing to do this using PSExec or another method. Any assistance offered will be greatly appreciated.
There were a couple of issues I had to resolve to be able to debug my .NET 6 service running a console application in Visual Studio 2022 using a gMSA. Here is how I got this to work:
At some point while I was trying to resolve my issues, the gMSA membership for my development PC was removed by another person in my IT Department. As it was explained to me, another computer was added to the gMSA, but the PowerShell command that was used overwrote the existing gMSA membership, including my development PC (the command adding a new computer to the gMSA membership should have included my development PC and any other existing gMSA computer members). Once this was resolved, I could tackle other issues.
Because I could find no way to share the gMSA context directly within my development environment (Visual Studio has no means, to my understanding, of running as a system process, gMSA, or an impersonation of a gMSA) I decided to try to attach a debugger to the service while it was running. This did not work until I discovered an SO post on a bug in the Visual Studio Just-In-Time Debugger. Per this post I navigated to
Computer\HKEY_CLASSES_ROOT\AppID\{E62A7A31-6025-408E-87F6-81AEB0DC9347}
in my development PC's registry and changed the value of AppIDFlags from 0x28 to 0x8. This got the Just-Time-Debugger working.
Once these issues were resolved I placed
#if DEBUG
Debugger.Launch();
#endif
in the StartAsync method of my .NET 6 worker service (worker.cs) so that the debugger would function within the gMSA context. After publishing the code to the location on my development computer that corresponds to the executable path accessed by the service I started the service and was prompted to attach the debugger. Upon doing so, I was able to debug under the gMSA context and access Active Directory via the gMSA in my Visual Studio 2022 development environment.