When using web-tier authentication with integrated Windows Authentication, can a group managed service account be used for the account that is used to determine the groups in which users reside?
ESRI documentation states that one should use an account with a password that does not expire, which is not allowable by my organizations security policy with no exceptions. In fact account expirations are barely over a month which would make maintaining an ArcGIS server a nightmare unless a group managed account could be used. ESRI docs say that a group managed service account can be used for the service account that ArcGIS server runs as and they provides a tool for doing so, but they do not say for the Windows Integrated Authentication.
For those looking for the same answer for ArcGIS Server 10.8, I initiated an ESRI tech support call, and as of 6-26-2020, the answer was that they did not support usage of a group managed service account for the account used for Integrated Windows Authentication to query users and roles, which is a maintenance nightmare for organizations with strict password expiration policies. He said that the only alternative at this time is a SAML server, but that is not an option for us at this time due to our organization's security policies.
For those that are wondering why ENH-000129687 [Enhancement] Provide the ability to use Group Managed Services Account while setting up Integrated Windows Authentication in Portal for ArcGIS in ArcGIS Enterprise. is classified as "Will Not Be Addressed" is: "This feature would require significant research and development" despite the significant workload customers have in maintaining and keeping secure a password-based service account for this purpose (or the significant amount of $ that GIS server license costs).