Managed Service Accounts (MSA): Installing a service

Written by Catalin Gheorghe · July 2nd, 2020

Recently, one of our users has asked us if it is possible to install, through Advanced Installer, a service under a Managed Service Account (MSA).

If you’re new to Advanced Installer, we recommend you take advantage of the 30-Day Full-Featured Free Trial (no credit card required).

Since it took quite a while to investigate all this, as I was not familiar with what Managed Service Accounts are, I decided to create this how-to, hoping that other users may find this useful.

A little explanation before we begin (this is probably skippable as if you were searching for this, you are probably already familiar with what an MSA is):

The first question that came into my mind when I read that request was "What is a Service Account?".

What is a Service Account and Managed Service Accounts

A service account is a user account created to run a particular service or software. To have good security, a service account should be created for each service/application on your network.

As you can imagine, a significant drawback to this is password management.

For large networks, this means a lot of service accounts, and the management of these service accounts can become complicated, and this is where the Managed Service Accounts (MSA) come to help.

One of the biggest advantages of an MSA is NO MORE PASSWORD MANAGEMENT. It uses a complex, random, 240-character password that automatically changes when it reaches the domain or computer password expiry date.

Standalone Managed Service Accounts (sMSAs) VS Group Managed Service Accounts (gMSAs)

What is a standalone Managed Service Account (sMSA)?

As we have discussed earlier: a standalone Managed Service Account (sMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate it to other administrators.

What is group Managed Service Account (gMSA)?

The group Managed Service Account (gMSA) provides the same functionality within the domain but also extends that functionality over multiple servers.

For a more in-depth overview of this, please look at Microsoft's Group Managed Service Accounts Overview article.

How to create a Managed Service Account on Windows

Prerequisites:

• Windows Server 2012 or above
• Active Directory Domain Services (AD DS)

This is all intended for test purposes, therefore please follow these steps on a test machine (e.g., Virtual Machine).

You can create an MSA by using the Active Directory module for PowerShell.

As explained above, to create an MSA, we will need the Active Directory module for PowerShell. To do so, please open PowerShell on your Windows Server machine and type the following:

Import-Module ActiveDirectory

The first thing we need to do is to create a Key Distribution Service Root Key (KdsRootKey).

Domain Controllers (DC) require a root key to begin generating gMSA passwords. The domain controllers will wait up to 10 hours from the time of creation to allow all domain controllers to converge their AD replication before allowing the creation of a gMSA.

Since this is only meant for test purposes, we will skip the 10 hours part of the KdsRootKey generation. To do so, we can use the following:

Add-KdsRootKey -EffectiveTime ((get-date).addHours(-10))

Now, we are pretty much ready to go. To create a new Managed Service Account, we can proceed as it follows:

New-ADServiceAccount -Name TestMSA -Path "CN = Managed Service Accounts, DC=catalin, DC=test" -DNSHostName hostname.catalin.test

where:

• hostname returns the computer name
• catalin.test is my Domain Controller

After creating the MSA, we will now specify which computer can request and access the password. To do so, we can proceed as it follows:

Set-ADServiceAccount -Identity TestMSA -PrincipalsAllowedToRetrieveManagedPassword WIN-N8MH1OCCOTD$

where:

• WIN-N8MH1OCCOTD - represents the computer name

We can now test the managed service account. To do so, please proceed as follows:

Test-ADServiceAccount -Identity TestMSA | Format-List

The above should return true. If so, it is now time to install our Managed Service Account:

Install-ADServiceAccount -Identity TestMSA

After doing so, we can retrieve our managed service account by running the following:

Get-ADServiceAccount -Filter *

This will return our MSA.

You can also check for the service from within the UI, by accessing "dsa.msc" --> your Domain Controller --> "Managed Service Accounts":

You can find all the above code below:

import-module ActiveDirectory

Add-KdsRootKey -EffectiveTime ((get-date).addHours(-10))

New-ADServiceAccount -Name TestMSA -Path "CN = Managed Service Accounts, DC=catalin, DC=test" -DNSHostName hostname.catalin.test

Set-ADServiceAccount -Identity TestMSA -PrincipalsAllowedToRetrieveManagedPassword WIN-N8MH1OCCOTD$

Test-ADServiceAccount -Identity TestMSA |fl

Install-ADServiceAccount -Identity TestMSA

Get-AdServiceAccount -Filter *

     

Now, to install a service under the MSA, we will need to do two things:

• provide the "username", which looks like this:

DomainController\ManagedServiceAccount$

Based on the above sample, the username will look like this:

catalin\TestMSA$

• provide NO password

Basically, in Advanced Installer, in the "Services" page, you will need to specify the account from which the service will run.

Least, but not last: the account should have enough privileges to start/work with services.