A standalone Managed Service Account (sMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management and the ability to delegate the management to other administrators. This type of managed service account (MSA) was introduced in Windows Server 2008 R2 and Windows 7.
The group Managed Service Account (gMSA) provides the same functionality within the domain but also extends that functionality over multiple servers. When connecting to a service hosted on a server farm, such as Network Load Balanced solution, the authentication protocols supporting mutual authentication require that all instances of the services use the same principal. When a gMSA is used as service principals, the Windows operating system manages the password for the account instead of relying on the administrator to manage the password.
gMSAs provide a single identity solution for services running on a server farm, or on systems behind Network Load Balancer. By providing a gMSA solution, services can be configured for the new gMSA principal and the password management is handled by Windows.
Using a gMSA, services or service administrators do not need to manage password synchronization between service instances. The gMSA supports hosts that are kept offline for an extended time period, and management of member hosts for all instances of a service. This means you can deploy a server farm that supports a single identity to which existing client computers can authenticate without knowing the instance of the service to which they are connecting.
Failover clusters do not support gMSAs. However, services that run on top of the Cluster service can use a gMSA or a sMSA if they are a Windows service, an App pool, a scheduled task, or natively support gMSA or sMSA.
A managed service account is dependent upon Kerberos supported encryption types.When a client computer authenticates to a server using Kerberos the DC creates a Kerberos service ticket protected with encryption both the DC and server supports. The DC uses the account's msDS-SupportedEncryptionTypes attribute to determine what encryption the server supports and, if there is no attribute, it assumes the client computer does not support stronger encryption types. If the host is configured to not support RC4, then authentication will always fail. For this reason, AES should always be explicitly configured for MSAs.
Managed Service Accounts were introduced in Windows Server 2008 R2 (object type msDS-ManagedServiceAccount). Their main limitation is that such an account can only be used on one server (they cannot be used in cluster and NLB services). Therefore, Windows Server 2012 introduced Group Managed Service Accounts/gMSA (type msDS-GroupManagedServiceAccount). gMSA accounts can be used simultaneously on multiple hosts.
You cannot use standard RunAs to verify that your services and scripts can run under the MSA service account. Use the PsExec tool instead (we previously showed you how to use psexec to run the command prompt on behalf of NT Authority\System).
Group Managed Service Accounts superseded MSAs, which in Windows 7 and Windows Server 2008 R2 (both no longer supported). Please use this updated link for more current information: -us/windows-server/security/group-managed-service-accounts/group-manage...
Note: Besides being a local administrator on the computer, the account installing the MSA needs to have permissions to modify the MSA in AD. If a domain admin this "just works"; otherwise, you would need to delegate modify permissions to the service account's AD object.
To be more precise, it's not that they don't have passwords, it's that they don't require you the administrator to know the password. The password is managed by Active Directory for you. That means not worrying about weak passwords or having to manually rotate them. Neat, right?
These are also just regular accounts in AD. They're special in that they're managed, but under the covers they're computer accounts, which inherit from user accounts. They walk and talk like principals in AD, so they have usernames, credentials, and service principal names.
This therefore means they can log in to Active Directory through Kerberos and NTLM. That makes them perfect for hosting services and tasks that require authenticating users or operating in authenticated sessions.
Well, it turns out it's partly super simple, and partly super complicated. The super simple part is that when you create a managed account you specify what other accounts are allowed to see the password.
Now you're looking at this kinda funny thinking waaaaaait a minute how does this bullsh*t work? Well remember, computers have machine accounts in AD. The computer logs in to AD, gets a Kerberos ticket to the DC asking for this attribute and does an ACL check.
This is incidentally how we can do things like group encryption with PFX files. Take the root key and append the group SID. Stand up a service in AD that accepts tickets, and if the requisite SID is in the PAC it'll provide the metadata to generate the same key and decrypt. Ish.
But back to managed accounts. The passwords are derived secrets computed from the root key and metadata. That metadata is basically accountKeyId + createdTime + interval. The interval and start time are critical. This allows the password to rotate regularly. Here's how it works.
So if we took out this derived key business, we could maybe make the PDC act as the password changer. It runs a scheduled task that goes through every managed account and rotates it regularly. Sure. Works well enough. Except then the PDC needs to replicate that out to everyone.
A service gets deployed to 2 machines with a load balancer splitting traffic between them. The service requires Kerberos, so an SPN is registered on... the computer? No, there's two of them. Okay spin up a service account. Ooooh, managed don't need to know the password, great.
So you spin up an MSA and install it on box one and register the SPN and then go to install it on box two and... womp womp. Can't. Okay, spin up a SECOND account and add...the...SPN.........dammit! And now we're back to regular accounts and passwords.
These days you can use managed accounts for all sorts of things: running services, scheduled tasks, IIS app pools, etc. You generally have to be running as SYSTEM since you're granting rights to the computer account, but they're easy once you get the hang of them.
Managed Service Accounts are a Windows feature introduced in Windows Server 2008 R2 for increasing the security of non-user service accounts. Managed Service Accounts, shortened as MSAs, have an automatically-managed, complex password that removes the requirement of manually dealing with password rotation and security. In Server 2012, this feature was enhanced to group Managed Service Accounts, or gMSAs, which allows the use of these accounts on multiple servers at once.
The advantage to Managed Service Accounts is being able to use an Active Directory user account for service-related tasks while easily keeping that account's password secure. Previously, the passwords for service accounts were handled in one of two ways: either configuring the account to have a password that never expires or manually rotating the password prior to its expiration. The first option is a security issue. If that password were ever leaked accidentally, it would be valid indefinitely. The second option has a significant administrative overhead. Keeping a task list of expiring passwords and going through the process of changing them and updating the related applications can be burdensome.
With MSAs and gMSAs, the password is managed by either the server using the account or by the AD DCs themselves. When configuring a service to use these accounts, no password is required. Instead, the password field is left blank, the system detects that it's an MSA or gMSA, and handles it appropriately. MSAs and gMSAs are supported for the following uses:
Since most scenarios require a service account to be used on multiple servers, we are going to focus on group Managed Service Accounts. You can still use these on just one server, but you have the option of using them on additional servers later if required. Since this is a well-documented process, we won't go into the specific steps here. Instead, here is an overview:
Overall, Managed Service Accounts provide numerous benefits and are fairly easy to set up. The next time you have to configure a service, scheduled task, or IIS Application to run with a user account, considering using an MSA instead. Note that even if you can run a service with an MSA or gMSA not all applications will be fully supported. For example, SQL Server only supports gMSA in 2014 or later.
As we have discussed earlier: a standalone Managed Service Account (sMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate it to other administrators.
A Managed Service Account is a Windows feature that was introduced in Windows Server 2008 to help non-user service accounts become more secure. Automatic password management, as well as simplified SPN management and the option to grant access to other administrators, can be provided through a managed service account.
A significant difference between a local service account and a managed service account is that standalone managed service accounts are intended to address the difficulties generated by the password management.
A gMSA - Grouped Managed Service Account, is a form of managed service account (MSA) that provides a higher level of security than regular MSAs for automated and non-interactive applications, services, and processes that need credentials. The gMSAs can run on a single or on multiple servers. 2b1af7f3a8