Catalin
Posts: 7513
Joined: Wed Jun 13, 2018 7:49 am

Install a service under a Managed Service Account (Windows Server)

Hello guys,

Prerequisites:
  • Windows Server 2012 or above
  • Active Directory Domain Services (AD DS)
Recently, one of our users have asked us if it is possible to install, through Advanced Installer, a service under a Managed Service Account (MSA).

Since it took quite a while to investigate all this, as I was not familiar with what a Managed Service Account is, I decided to create this how-to, hoping that other users may also find this useful.

A little explanation before we begin (this is probably skippable, as if you were searching for this, you are probably already familiar with what an MSA is):

The first question that came into my mind when I read that request was "What is a Service Account?".

A service account is a user account that is created to run a particular service or software. In order to have good security, a service account should be created for each service/application that is on your network.

As you can imagine, a big drawback to this is password management.

On large networks this will mean a lot of service accounts and the management of these service accounts can become difficult, thus this is where Managed Service Accounts can help.

One of the biggest advantage of an MSA is:
  • No more password management. It uses a complex, random, 240-character password and change that automatically when it reaches the domain or computer password expire date.
standalone Managed Service Account (sMSA) vs group Managed Service Account (gMSA)

sMSA:

As we have discussed earlier: a standalone Managed Service Account (sMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management and the ability to delegate the management to other administrators.

gMSA:

The group Managed Service Account (gMSA) provides the same functionality within the domain but also extends that functionality over multiple servers.

For a more in-depth overview about this, please have a look on Microsoft's Group Managed Service Accounts Overview article.

How to create an MSA:

Important: This is all intended for test purposes, therefore please follow these steps on a test machine (e.g. Virtual Machine).

An MSA can be created by using the Active Directory module for PowerShell.

As explained above, in order to create an MSA, we will need the Active Directory module for PowerShell. To do so, please open PowerShell on your Windows Server machine and type the following:

Code: Select all

Import-Module ActiveDirectory
The first thing we need to do is to create a Key Distribution Service Root Key (KdsRootKey).

Domain Controllers (DC) require a root key to begin generating gMSA passwords. The domain controllers will wait up to 10 hours from time of creation to allow all domain controllers to converge their AD replication before allowing the creation of a gMSA.

Since this is only meant for test purposes, we will skip the 10 hours part of the KdsRootKey generation. To do so, we can use the following:

Code: Select all

Add-KdsRootKey -EffectiveTime ((get-date).addHours(-10))
Now, we are pretty much ready to go. In order to create a new Managed Service Account, we can proceed as it follows:

Code: Select all

New-ADServiceAccount -Name TestMSA -Path "CN = Managed Service Accounts, DC=catalin, DC=test" -DNSHostName hostname.catalin.test
where:
  • hostname returns the computer name
  • catalin.test is my Domain Controller
After creating the MSA, we will now specify which computer can request and access the password. To do so, we can proceed as it follows:

Code: Select all

Set-ADServiceAccount -Identity TestMSA -PrincipalsAllowedToRetrieveManagedPassword WIN-N8MH1OCCOTD$
where:
  • WIN-N8MH1OCCOTD - represents the computer name
We can now test the managed service account. To do so, please proceed as follows:

Code: Select all

Test-ADServiceAccount -Identity TestMSA | Format-List
The above should return true. If so, it is now time to install our Managed Service Account:

Code: Select all

Install-ADServiceAccount -Identity TestMSA
After doing so, we can retrieve our managed service account by running the following:

Code: Select all

Get-ADServiceAccount -Filter *
This will return our MSA.

You can also check for the service from within the UI, by accessing "dsa.msc" --> your Domain Controller --> "Managed Service Accounts":

MSA.png
MSA.png (104.26 KiB) Viewed 192069 times

You can find all the above code below:

Code: Select all

import-module ActiveDirectory

Add-KdsRootKey -EffectiveTime ((get-date).addHours(-10))

New-ADServiceAccount -Name TestMSA -Path "CN = Managed Service Accounts, DC=catalin, DC=test" -DNSHostName hostname.catalin.test

Set-ADServiceAccount -Identity TestMSA -PrincipalsAllowedToRetrieveManagedPassword WIN-N8MH1OCCOTD$

Test-ADServiceAccount -Identity TestMSA |fl

Install-ADServiceAccount -Identity TestMSA

Get-AdServiceAccount -Filter *
TestMSA.png
TestMSA.png (129.03 KiB) Viewed 192287 times

Now, in order to install a service under the MSA, we will need to do two things:
  • provide the "username", which looks like this:

Code: Select all

DomainController\ManagedServiceAccount$
Based on the above sample, the username will look like this:

Code: Select all

catalin\TestMSA$
  • provide NO password
Basically, in Advanced Installer, in "Services" page, you will need to specify the account from which the service will run.

ServicesPage.png
ServicesPage.png (70.67 KiB) Viewed 192287 times

Least, but not last: the account should have enough privileges to start / work with services.

Hope this helps.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Sample Projects”